简体繁体中英

Why does authorization grant flow skip the authorization code just return an access token?

原文 2017-09-21 21:33:22 9 1 oauth-2.0/ access-token

I'm learning about O Auth 2 from here

I was wondering in the step of "Authorization server redirects user agent to client with authorization code", why doesn't the server just give the access token instead? Why give an authorization code that then is used to get the access token? Why not just give the access token directly? Is it because there there is a different access token for each resource so that you need to go through O Auth again to access a different resource?

1 answers

The authorization grant code can pass through unsecured or potentially risky environments such as basic HTTP connection (not HTTPS) or a browser. But it's worthless without a client secret. The client can be a backend application. If the OAuth2 server returned a token, it could get compromised.

There is another OAuth2 flow - the Implicit flow , which returns an access token right after the authentication, but it's designed mainly for JavaScript applications or other deployments where it's safe to use it.

Where is the OAuth access token stored in the browser in case of Authorization Code Grant flow

why not obtain a new access token by resending the authorization grant/code instead of sending refresh token?

In using OAuth 2.0 Authorization Code Flow with a Mobile App should the Browser return Authorization Code or Access Token to the Mobile App?

OAuth2: (Why) does exchanging authorization code for access token require authorization header?

How to automate access token retrieval using Authorization code flow?

OAuth2 authorization code flow: spring-security does not accept the issued access_token

Refresh Token Flow With Authorization Code Flow

unable to get access token from OAuth 2.0 Authorization Code Flow

Get new refresh token in oauth2.0 authorization code grant flow

How to handle access token in OAuth authorization flow?

暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Where is the OAuth access token stored in the browser in case of Authorization Code Grant flow why not obtain a new access token by resending the authorization grant/code instead of sending refresh token? In using OAuth 2.0 Authorization Code Flow with a Mobile App should the Browser return Authorization Code or Access Token to the Mobile App? OAuth2: (Why) does exchanging authorization code for access token require authorization header? How to automate access token retrieval using Authorization code flow? OAuth2 authorization code flow: spring-security does not accept the issued access_token Refresh Token Flow With Authorization Code Flow unable to get access token from OAuth 2.0 Authorization Code Flow Get new refresh token in oauth2.0 authorization code grant flow How to handle access token in OAuth authorization flow?

Related Tags

Why does authorization grant flow skip the authorization code just return an access token?

Question

1 answers

solution1 0 2017-09-22 06:31:45

solution1
0 2017-09-22 06:31:45