Why oAuth2.0 need authorization token

Question

 +----------+
 | Resource |
 |   Owner  |
 |          |
 +----------+
      ^
      |
     (B)
 +----|-----+          Client Identifier      +---------------+
 |         -+----(A)-- & Redirection URI ---->|               |
 |  User-   |                                 | Authorization |
 |  Agent  -+----(B)-- User authenticates --->|     Server    |
 |          |                                 |               |
 |         -+----(C)-- Authorization Code ---<|               |
 +-|----|---+                                 +---------------+
   |    |                                         ^      v
  (A)  (C)                                        |      |
   |    |                                         |      |
   ^    v                                         |      |
 +---------+                                      |      |
 |         |>---(D)-- Authorization Code ---------'      |
 |  Client |          & Redirection URI                  |
 |         |                                             |
 |         |<---(E)----- Access Token -------------------'
 +---------+       (w/ Optional Refresh Token)

I understand the flow above, but my question is for the step C in the middle, is that possible that Authorization Server get the redirection URI and then use Post to request the URI and put access token in body. It will eliminate the step D and E? Thanks for your replies

Does this answer your question? [oAuth2.0: Why need "authorization-code" and only then the token?](https://stackoverflow.com/questions/15219006/oauth2-0-why-need-authorization-code-and-only-then-the-token) — OhadR, Oct 04 '21 at 15:22

score 1 · Accepted Answer · answered Oct 04 '21 at 13:40

It sounds like what you're describing is the Implicit Grant Flow (steps A - C):

+----------+
 | Resource |
 |  Owner   |
 |          |
 +----------+
      ^
      |
     (B)
 +----|-----+          Client Identifier     +---------------+
 |         -+----(A)-- & Redirection URI --->|               |
 |  User-   |                                | Authorization |
 |  Agent  -|----(B)-- User authenticates -->|     Server    |
 |          |                                |               |
 |          |<---(C)--- Redirection URI ----<|               |
 |          |          with Access Token     +---------------+
 |          |            in Fragment
 |          |                                +---------------+
 |          |----(D)--- Redirection URI ---->|   Web-Hosted  |
 |          |          without Fragment      |     Client    |
 |          |                                |    Resource   |
 |     (F)  |<---(E)------- Script ---------<|               |
 |          |                                +---------------+
 +-|--------+
   |    |
  (A)  (G) Access Token
   |    |
   ^    v
 +---------+
 |         |
 |  Client |
 |         |
 +---------+

The token is directly returned in step C, without the need for performing a code/token exchange. However, this has a number of security risks, not limited to token injection and credential leakage. The OAuth working group recommends clients SHOULD NOT use this flow in accordance with best security practices.

Why oAuth2.0 need authorization token

1 Answers1