Clearing up (my own) OAuth misunderstandings

The text delves into a detailed exploration of the OAuth authorization protocol, addressing its design choices and security measures. It explains the separation between the authorization server and the resource server, emphasizing security benefits such as reduced attack surfaces and distinct maintenance teams. The use of an authorization code instead of directly issuing an access token is justified by security concerns, like preventing exposure through browser history or malicious extensions. The discussion highlights the role of access and refresh tokens, noting that while access tokens are bearer tokens, refresh tokens require a valid clientId and clientSecret, thus reducing vulnerability. The text also introduces PKCE as a method to enhance security, particularly for Single Page Apps and mobile applications, by ensuring the entity redeeming the access token is the one that requested the authorization code. The author acknowledges the complexities of OAuth and expresses a continued interest in understanding its intricacies, such as the use of the state parameter as a CSRF token.