About

An authorization code is a intermediate credential used in a authorization code flow to retrieve a access token.

It's a shared secret that does not long live because it's passed back via the query parameters and therefore will be leaked (written) in a Web Log of the HTTP request.

Example

https://example.com/redirection/path?code=AUTHORIZATION_CODE&state=xxxxx

where:

• code is a nonce value
• state is the initial state of the client at the start of the flow

Example of value

code=4/0AX4XfWhcZSdBvBXanPSGA5VYYjz0_gwFtRLB2csaJ4K_ym6BS4QBTBq4hysO4oKyp0AinA

Security Benefice

The authorization code provides a few important security benefits, such as:

• as it's passed back to the client via query url, this code can be leaked in a http request log file because it has a short timespan. (The client then asks via a secure Ajax request the real authentication material).
• the ability to authenticate the client,
• the transmission of the access token directly to the client without passing it through the resource owner's user-agent and potentially exposing it to others, including the resource owner.