Salesforce Certified Identity and Access Management Practice

Which statement accurately describes Authorisation Codes in Salesforce?

• A. Are generated by Salesforce and passed to the client app via the browser
• B. Are a type of OAuth token that authorise access for a very short amount of time
• C. Are passed from the client App to the Authorisation Server in exchange for an access/refresh token
• D. Can have an indefinite lifetime

The correct answer is: Are passed from the client App to the Authorisation Server in exchange for an access/refresh token

The statement that accurately describes Authorization Codes in Salesforce is that they are passed from the client application to the Authorization Server in exchange for an access/refresh token. This process is part of the OAuth 2.0 authorization framework, where the client first obtains the authorization code by directing the user to the authorization server. Upon successfully authenticating and authorizing, the Authorization Server issues the code, which the client application then exchanges for access and refresh tokens. This mechanism helps ensure that sensitive access tokens are not exposed through the user agent and provides a secure way to obtain these tokens for accessing protected resources. The exchange process is fundamental to the OAuth 2.0 flow, emphasizing a secure and structured method to grant third-party applications access to user data without sharing the user's credentials. The other statements do not accurately describe Authorization Codes. For instance, they are not generated and passed directly via the browser in a user-visible form but rather handled securely by the client app. They are not tokens themselves, as they serve as a temporary credential to request access tokens; thus, they do not have characteristically short lifetimes like tokens. Lastly, they do not possess an indefinite lifetime; rather, they typically have a very short lifespan, which adds to the security of the