In OAuth 2, the application server makes a request to the API server, and sends along its
client_secret. The API server uses the
client_secret to make sure the application is who it says it is (like a password). If the application is authorized to receive the data it requested, the API server will respond with that data.
My understanding is that the API server also responds with an authentication token. Next time the App server wants to make a request of the API server, it could provide the authentication token instead of the
client_secret, and the API server will know that the App server is authorized.
What is the advantage to this? I know the
client_secret really needs to be kept secret. But so does the authentication token, right?