Reading various resources on OAuth2, I understand following flow:
User/Resource-Owner opts for OAuth based authorization on client
Client redirects user to auth server
User provides credentials, approves access
Auth server redirects user to client with authorization code
Client sends (auth code + client creds) to auth server to get access token
And client finally uses access token to get access to the resource
So does it mean that now onwards same auth code is used by client to generate access token for all future access, meaning auth code is saved with client.
So does it mean that now onwards same auth code is used by client to generate access token for all future access, meaning auth code is saved with client
No, auth code (authorization code) is for one-time use only. Once you exchange the auth code with access_token, the authorization server removes its reference from the server.
Usually, for OAuth 2 related flows, the authorization server issues two types of tokens, access_token & refresh_token. It's refresh_token that client can use to obtain a new access_token.