In OAuth 2.0 what is the function of the authorization code?

Question

My question is related to this blog post: https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oidc

In step 5, the authorization server returns an authorization code to the client:

Right after that in step 6 the client returns this authorization code back to the server, together with Client ID and Client secret, and receives the access token. Whats the purpose of this "Authorization Code round trip"?

Answer 1

I believe you are asking “why not just return the access token directly rather than first getting an authorization grant and then trading it for the access token?” The answer is because that would be insecure.

The authorization grant is returned in a query parameter of the redirection URI. Putting sensitive values in a query parameter is a no-no: these values get logged in web browsers and web server logs. The Oauth protocol works around this security no-no by using an authorization grant that is one-time use. Once that authorization grant is exchanged for an access token, that grant is no longer valid and cannot be re-used. Hence, the fact that it is logged means that it doesn’t matter : by the time it is logged, it is no longer valid. On the other hand, the access token is for multiple uses, and therefore cannot be logged — which implies that it is not safe to put in the query parameter.

That’s the entire reason why they introduce the authorization grant extra layer of complexity. If a server allows the authorization grant to be used multiple times, that would be a security bug (it is prohibited in the Oauth protocol).

That’s an excellent blog on Oauth, BTW. One of my favourites.