Salesforce Certified Identity and Access Management Practice

The statement that accurately describes Authorization Codes in Salesforce is that they are passed from the client application to the Authorization Server in exchange for an access/refresh token. This process is part of the OAuth 2.0 authorization framework, where the client first obtains the authorization code by directing the user to the authorization server. Upon successfully authenticating and authorizing, the Authorization Server issues the code, which the client application then exchanges for access and refresh tokens.

This mechanism helps ensure that sensitive access tokens are not exposed through the user agent and provides a secure way to obtain these tokens for accessing protected resources. The exchange process is fundamental to the OAuth 2.0 flow, emphasizing a secure and structured method to grant third-party applications access to user data without sharing the user's credentials.

The other statements do not accurately describe Authorization Codes. For instance, they are not generated and passed directly via the browser in a user-visible form but rather handled securely by the client app. They are not tokens themselves, as they serve as a temporary credential to request access tokens; thus, they do not have characteristically short lifetimes like tokens. Lastly, they do not possess an indefinite lifetime; rather, they typically have a very short lifespan, which adds to the security of the