11

I am using the OAuth 2.0 PHP Library to develop a OAuth 2.0 server in PHP.

In the example of that library I can see 3 tables: auth_codes, clients and tokens.

As far as I know tokens are used to access the data and auth codes are used to obtain tokens.

But the problem is that if i do

...authorize.php?client_id=0123456789ab&response_type=token&state=test_state

I can get token without even getting the access code.

How is that possible ? Is this a proper implementation ?

hakre
  • 193,403
  • 52
  • 435
  • 836
ajaybc
  • 4,049
  • 7
  • 44
  • 57
  • Possible duplicate of [What is the difference between the 2 workflows? When to use Authorization Code flow?](https://stackoverflow.com/questions/16321455/what-is-the-difference-between-the-2-workflows-when-to-use-authorization-code-f) – Michael Freidgeim Sep 09 '17 at 22:35

1 Answers1

9

There are two flows for OAuth2 authentcation.

  1. Two-legged OAuth
  2. Three-legged OAuth

Here you have encountered 2-legged OAuth which doesn't require the auth_code to get access_token dance :)

These are some useful links that will help you understand the difference better.

  1. http://cakebaker.42dh.com/2011/01/10/2-legged-vs-3-legged-oauth/
  2. https://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi
naveen
  • 53,448
  • 46
  • 161
  • 251