ajaybc
Reputation: 4059
What is the difference between access tokens and auth_codes in OAuth 2
I am using the OAuth 2.0 PHP Library to develop a OAuth 2.0 server in PHP.
In the example of that library I can see 3 tables: auth_codes, clients and tokens.
As far as I know tokens are used to access the data and auth codes are used to obtain tokens.
But the problem is that if i do
...authorize.php?client_id=0123456789ab&response_type=token&state=test_state
I can get token without even getting the access code.
How is that possible ? Is this a proper implementation ?
Upvotes: 11
Views: 3638
Answers (1)
codeandcloud
Reputation: 55200
There are two flows for OAuth2 authentcation.
- Two-legged OAuth
- Three-legged OAuth
Here you have encountered 2-legged OAuth which doesn't require the auth_code to get access_token dance :)
These are some useful links that will help you understand the difference better.
- http://cakebaker.42dh.com/2011/01/10/2-legged-vs-3-legged-oauth/
- https://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi
Upvotes: 9
Related Questions
- What is the difference between authorization code and Client Credentials?
- What is the purpose of authorization code in OAuth
- Clarification on id_token vs access_token
- oAuth2.0: Why need "authorization-code" and only then the token?
- How is authorization code different from the access token?
- OAuth2 (Code Grant) access_token Meaning
- what's the difference between access token(Oauth1) and bearer token(Oauth2)
- Is short lived access token and request token and authorization code the same thing?
- oAuth2.0 access token confusion
- php+oauth: what's the difference between 3-legged and 2-legged auth?