In the OAuth Authorization Code Grant Type Flow, how does the client get ACCESS_TOKEN?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Prepare for the MuleSoft Developer 2 Certification Exam. Access practice quizzes featuring flashcards and multiple choice questions with explanations. Get confident and ready for your certification success!

Multiple Choice

In the OAuth Authorization Code Grant Type Flow, how does the client get ACCESS_TOKEN?

Explanation:
In this flow, the temporary authorization code is exchanged on the back-channel for tokens. After the user authenticates, the client receives an authorization code and then makes a server-to-server request to the token endpoint, presenting that code along with its client credentials (for confidential clients, the client_secret is required; redirect_uri may also be included). The authorization server validates these and responds with an access_token (and often a refresh_token) that the client can use to access resources. The authorization code by itself is not the access token—it must be exchanged for one through that token request. That’s why the correct idea is that the client gets the ACCESS_TOKEN after sending the AUTH CODE plus its client credentials to the token endpoint. The other options don’t fit: the code alone doesn’t grant the token, token issuance isn’t only a refresh token, and tokens aren’t pre-issued.

In this flow, the temporary authorization code is exchanged on the back-channel for tokens. After the user authenticates, the client receives an authorization code and then makes a server-to-server request to the token endpoint, presenting that code along with its client credentials (for confidential clients, the client_secret is required; redirect_uri may also be included). The authorization server validates these and responds with an access_token (and often a refresh_token) that the client can use to access resources. The authorization code by itself is not the access token—it must be exchanged for one through that token request.

That’s why the correct idea is that the client gets the ACCESS_TOKEN after sending the AUTH CODE plus its client credentials to the token endpoint. The other options don’t fit: the code alone doesn’t grant the token, token issuance isn’t only a refresh token, and tokens aren’t pre-issued.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy