Recall & Review
beginner
What is the main purpose of the Authorization Code Flow in OAuth 2.0?
It securely allows a client application to obtain an access token by first getting an authorization code from the authorization server, which is then exchanged for the token.
Click to reveal answer
beginner
List the main steps in the Authorization Code Flow.
1. Client redirects user to authorization server.<br>2. User logs in and consents.<br>3. Authorization server sends authorization code to client.<br>4. Client exchanges code for access token.<br>5. Client uses access token to access protected resources.
Click to reveal answer
intermediate
Why is the Authorization Code Flow considered more secure than the Implicit Flow?
Because the access token is never exposed to the user agent or browser directly; it is obtained via a secure back-channel between the client and authorization server.
Click to reveal answer
beginner
What role does the 'redirect URI' play in the Authorization Code Flow?
It is the URL where the authorization server sends the authorization code after user consent. It must be pre-registered to prevent attacks.
Click to reveal answer
intermediate
What is the purpose of the 'state' parameter in the Authorization Code Flow?
It helps prevent cross-site request forgery (CSRF) attacks by maintaining state between the request and callback.
Click to reveal answer
In the Authorization Code Flow, what does the client receive first from the authorization server?
✗ Incorrect
The client first receives an authorization code, which it then exchanges for an access token.
Why should the access token not be exposed to the browser in Authorization Code Flow?
✗ Incorrect
Exposing tokens to the browser risks theft by malicious scripts or attackers.
What is the purpose of exchanging the authorization code for an access token?
✗ Incorrect
Exchanging the code for a token ensures the client is authorized securely.
Which parameter helps prevent CSRF attacks in Authorization Code Flow?
✗ Incorrect
The 'state' parameter maintains request state and prevents CSRF.
What must the redirect URI be during the Authorization Code Flow?
✗ Incorrect
The redirect URI must be pre-registered to avoid redirection attacks.
Explain the Authorization Code Flow step-by-step as if teaching a friend.
Think about how the client never sees the user's password and how the token is kept safe.
You got /5 concepts.
Describe why the Authorization Code Flow is more secure than other OAuth flows.
Focus on how the flow protects tokens and user data.
You got /4 concepts.