Understanding OAuth https://stackoverflow.com/questions/13387698/why-is-there-an-authorization-code-flow-in-oauth2-when-implicit-flow-works-s https://medium.com/google-cloud/understanding-oauth2-and-building-a-basic-authorization-server-of-your-own-a-beginners-guide-cf7451a16f66
Say you (resource owner) have the keys(password) to your house(resource). And you want to key that access to your house to a friend, telling your househelp that the friend will come and to give him the key
Is this process secure?
No! The househelp has no way of verifying that the stranger who knocks at the door is your friend! So the househelp agrees with you a password, and tells you to give it to the friend, and the friend is supposed to tell this password when he knocks.
Now when the stranger knocks, and gives you the password, you give him the key to the house
Is this secure? No!
What if someone murdered the friend, and before he died, took the password from him! Maybe the impostor has turned up with the password!
So you tell your master, that hey, please give me your friends’ photograph, so that you only give the key to the correct friend.
Is this secure? No! What if the friend asks for the key to the neighbour’s house?
The friend has to present both the password and the photograph.
Is this secure?
Thus, the security benefit is that the access token isn’t exposed to the browser, and thus cannot be intercepted/grabbed from a browser. We trust the web server more, which communicates via back channels. The access token, which is secret, can then remain on the web server, and not be exposed to the browser (i.e. front channels).
According to Nate Barbettini we want the extra step of exchanging the authentication code for the access token, because the authentication code can be used in the front channel (less secure), and the access token can be used in the back channel (more secure).
23 October 2018