Why retrieving Access Token is a separate step with extra HTTP request in OAuth2?

Question

While learning how OAuth2 works, I cannot figure out why there is a separate step to retrieve Access Token?

A separate step means:

• an extract HTTP request
• passing Client Secret in the URL

I'd expect the Access Token to be generated in the "authorization" step, encrypted with using the Client Secret, and returned back when redirecting to the Callback URL. Then the client application would decrypt it and use it straight await without issuing an extra HTTP request.

I guess there are some reasons behind having an extra step, and I'm just not aware of them. I hope you can explain the reasons in your answer.

Answer 1

I'm assuming you're talking about the Authorization Code flow and not the Implicit flow, which does return a token directly.

The Authorization Code flow is designed to work with potentially unencrypted servers via a callback URL (this was designed years before Let's Encrypt and the relatively recent encrypt-everything push). Thus, the URL could be intercepted by any intermediate routers/proxies, and sending an access code as part of the callback URL in that environment is a Bad Idea.

So instead, the authorization code is sent. Then the client exchanges the authorization code along with its client secret for an access token. The authorization code can be intercepted, but in the Authorization Code flow, the client secret is actually secret and not known outside your server, so any intercepted authorization code is useless on its own.

These days, encryption is common and free, and unencrypted flows are strongly discouraged. The extra call remains part of the Authorization Code flow for historical reasons.