18Kas
Could the Authorization Server return the code directly to the client instead of using a redirect in OAuth2 Autorization code flow?
For Authorization code grant flow, RFC says the authorization server will send back the code to the redirect_uri specified.
I believe it means the browser will recieve a URL like http://webapp/?code=xyz
Now, the code in the browser will send the code to the client app so that the client will ask, using the code, an access token to the autorization server
That's where my question comes in. I think that returning the code to the user-agent is not secure
What if it was only returned to the client so that it can process the code to obtain an access token ? Is is at all possible ?