Something I can't wrap my head around. As I understand the authorization code flow is supposed to be more secured than the implicit flow, because the tokens are not directly sent to the client from the authorization server, but rather retrieved by your backend. So the flow is basically:
In this flow all the tutorials describe the authorization code as useless to the hacker, why is that? Can't a hacker use Postman or some other client and access your (public) API directly, make it go through step 3 and thus retrieve the tokens just the same?
What am I missing here?
The code
is used exactly once. In many scenarios that an attacker might get access to the code
, it's already been exchanged for an access token and therefore useless.
The authorization_code
is a one-time token.