As we know, in the process of third-party authorization using OAuth, after the user’s third-party preference, the service party gets the so-called code instead of the access_token that can directly obtain user data. After obtaining the code, the service party obtains the Access_token from the authorization server.
Some might wonder, why not just return access_token?
Yes, it does get access to the user’s information, but the token is already exposed to the browser, because access_tokens are usually valid for a certain period of time, so anyone who gets access to this access_token can get access to the user’s personal information.
If code is used to obtain access_token, the code is time-limited and one-time. This access to the Access_token is actually done on the server side of the server, so that the sensitive token is not exposed to the outside world.