The Authorization Server creates an Authorization Code and sends it to the OAuth Client (OAuth Confidential Clients) only after successful Authentication Request and Authorization Server Request End-User Consent-Authorization of the Resource Owner.
Authorization Code is a Sender Constrained Token (For use by the OAuth Client).
OAuth Client presents the Authorization Code to the Token_endpoint on the Authorization Server to obtain an Access Token.
The validity of the Authorization Code is limited to a few minutes as the OAuth Client is expected to obtain and Access Token.
Instead of requesting Authorization directly from the Resource Owner, the OAuth Client directs the Resource Owner to an Authorization Server, via its user-agent as defined in RFC 2616, which in turn directs the Resource Owner back to the OAuth Client with the Authorization Code.
Before directing the Resource Owner back to the OAuth Client with the Authorization Code, the Authorization Server Authenticates the Resource Owner and obtains authorization.
Because the Resource Owner only Authenticates with the Authorization Server, the Resource Owner's credentials are never shared with the OAuth Client.
The Authorization Code provides a few important security benefits, such as the ability to authenticate the OAuth Client, as well as the transmission of the Access Token directly to the OAuth Client without passing it through the Resource Owner's user-agent and potentially exposing it to others, including the Resource Owner.