OAuth - Authorization Code


An authorization code is a intermediate credential used in a authorization code flow to retrieve a access token.

It's a shared secret that does not long live because it's passed back via the query parameters and therefore will be leaked (written) in a Web Log of the HTTP request.




Example of value


Security Benefice

The authorization code provides a few important security benefits, such as:

  • as it's passed back to the client via query url, this code can be leaked in a http request log file because it has a short timespan. (The client then asks via a secure Ajax request the real authentication material).
  • the ability to authenticate the client,
  • the transmission of the access token directly to the client without passing it through the resource owner's user-agent and potentially exposing it to others, including the resource owner.

Powered by ComboStrap