An application has initiated an OAuth authorization code grant flow to get access to an API resource on behalf of an end user.
Which two parameters are specified in the HTTP request coming back to the application as the end user grants access? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.AB.
OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. OAuth authorization code grant flow is one of the four OAuth flows, used to obtain an access token that can be used to access a protected resource like an API on behalf of an end user.
When an end-user initiates an OAuth authorization code grant flow to grant access to an application, the application receives an HTTP request containing an authorization code from the authorization server. The application then sends another HTTP request to the authorization server to exchange the authorization code for an access token that can be used to access the protected API resource on behalf of the end-user.
The HTTP request coming back to the application as the end-user grants access typically contains two parameters, which are:
Code: The authorization code that can be exchanged for an access token. The authorization code is a short-lived token that the application uses to exchange for an access token, which is a longer-lived token that can be used to access the protected resource.
State: A value used for correlation and security checks. The state parameter is an opaque value used by the client to maintain state between the request and callback. The authorization server includes this parameter when redirecting the user-agent back to the client. The client can then verify that the value is the same as the one it sent.
Therefore, the correct answer is D and E. The other answer options are not correct because:
A. This option is partially correct as it mentions the access token, but the refresh token is not always included in the response, and it may not have a respective expiration time to access the API resource.
B. This option is also partially correct as it mentions the access token, but it does not specify that the response also includes the authorization code that must be exchanged for an access token.
C. This option is incorrect because the redirect URI is specified in the initial request and not in the response. The response may contain a list of permissions to grant, but this is not always the case.
In summary, when an application initiates an OAuth authorization code grant flow to get access to an API resource on behalf of an end-user, the HTTP request coming back to the application as the end-user grants access contains the authorization code and the state parameter.