Why does the authenticator mode in oauth2 have to go to the resource server to obtain a code before obtaining the token, and then use the code of the resource server to apply for token? from the resource server
after reading a lot of materials, it is said that the resource server will jump to a callback url, specified by us after the user confirms the authorization. If token is returned directly, anyone can see the token in the browser, then there is no security at all.
but I have a puzzle
that is why the resource server has to jump to the callback url given by the third-party site. If my url is an interface resource server, it can directly call back my interface without jumping through the browser. Then my server can directly token to my server, and then my server will decide how to jump after storing the token.
isn"t this simpler than authorization mode and safer than implicit mode