What is the difference between access tokens and auth_codes in OAuth 2

Question

I am using the OAuth 2.0 PHP Library to develop a OAuth 2.0 server in PHP.

In the example of that library I can see 3 tables: auth_codes, clients and tokens.

As far as I know tokens are used to access the data and auth codes are used to obtain tokens.

But the problem is that if i do

...authorize.php?client_id=0123456789ab&response_type=token&state=test_state

I can get token without even getting the access code.

How is that possible ? Is this a proper implementation ?

Answer 1

There are two flows for OAuth2 authentcation.

1. Two-legged OAuth
2. Three-legged OAuth

Here you have encountered 2-legged OAuth which doesn't require the auth_code to get access_token dance :)

These are some useful links that will help you understand the difference better.

1. http://cakebaker.42dh.com/2011/01/10/2-legged-vs-3-legged-oauth/
2. https://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi