The title says it all. I'm really confused with terminology, and since I have to implement this, I can't afford even a slight confusion. If they are the same thing--fine; I just want perfect clarity.
And for search engines: OIDC = OpenId Connect.
Asked
Active
Viewed 91 times
2 Answers
1
An authorization code is a part of the mechanics for handling OIDC browser redirects securely. It ensures that access tokens are never available in the browser history.
An access token is a message credential sent to OAuth secured APIs in the Authorization header.
To visualise usage, have a look at my Initial OAuth Messages blog post. Once people understand messages used in OAuth flows they are much more productive.
Gary Archer
- 22,534
- 2
- 12
- 24
0
Thank you Gary Archer for your answer. My answer is in conjunction with yours.
The authorization code (during the OAuth2.0 dance) is the data returned by the browser to the client application. The client sends this code to an authorization server to get an access token. The client uses this access token to get the desired data from the resource server.
Please comment if I'm missing something!
SMBiggs
- 11,034
- 6
- 68
- 83