About
An authorization code is a intermediate credential used in a authorization code flow to retrieve a access token.
It's a shared secret that does not long live because it's passed back via the query parameters and therefore will be leaked (written) in a Web Log of the HTTP request.
Example
https://example.com/redirection/path?code=AUTHORIZATION_CODE&state=xxxxx
where:
- code is a nonce value
- state is the initial state of the client at the start of the flow
Example of value
code=4/0AX4XfWhcZSdBvBXanPSGA5VYYjz0_gwFtRLB2csaJ4K_ym6BS4QBTBq4hysO4oKyp0AinA
Security Benefice
The authorization code provides a few important security benefits, such as:
- as it's passed back to the client via query url, this code can be leaked in a http request log file because it has a short timespan. (The client then asks via a secure Ajax request the real authentication material).
- the ability to authenticate the client,
- the transmission of the access token directly to the client without passing it through the resource owner's user-agent and potentially exposing it to others, including the resource owner.