The Authorization Server creates an Authorization Code and sends it to the OAuth Client only after successful Authentication Request and Delegation of the Resource Owner.

OAuth Client presents the Authorization Code to the Token Endpoint on the Authorization Server to obtain an Access Token.

The validity of the Authorization Code is limited to a few minutes as the OAuth Client is expected to obtain and Access Token.

OAuth 2.0 Grant_type#

Authorization Code is an OAuth 2.0 Authorization Grant which is obtained by using an Authorization Server as an intermediary between the OAuth Client and the Resource Owner.

Instead of requesting Authorization directly from the Resource Owner, the OAuth Client directs the Resource Owner to an Authorization Server, via its user-agent as defined in RFC 2616, which in turn directs the Resource Owner back to the OAuth Client with the Authorization Code.

Before directing the Resource Owner back to the OAuth Client with the Authorization Code, the Authorization Server Authenticates the Resource Owner and obtains authorization.

Because the Resource Owner only Authenticates with the Authorization Server, the Resource Owner's credentials are never shared with the OAuth Client.

The Authorization Code provides a few important security benefits, such as the ability to authenticate the OAuth Client, as well as the transmission of the Access Token directly to the OAuth Client without passing it through the Resource Owner's user-agent and potentially exposing it to others, including the Resource Owner.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-7) was last changed on 08-Aug-2016 14:31 by jim