Why does an authorized OAuth 1.0 request token need to be exchanged for an access token?

I'm wondering what the reasons are for OAuth 1.0 to require a round-trip to the data provider to exchange an authorized request token for an access token.

My understanding of the OAuth 1.0 workflow is:

1. Requesting site (consumer) gets a request token from the data provider site (service provider).

2. Requesting site asks the data provider site to authenticate the user, passing in a callback.

3. Once the user has been authenticated and authorized the requesting site, the user is directed back to the requesting site (consumer) via the callback provided which passes back the now-authorized request token and a verification code.

4. The requesting site exchanges the request token for an access token.

5. The requesting site uses the access token to get data from the data provider site.

Assuming I got that right, why couldn't the callback simply provide the access token to the requesting site directly in step 3, eliminating step 4? Why is the request to exchange the request token for the access token necessary? Does it exist solely for consumers that require users to enter the verification code manually, with the thought that it would be short开发者_JS百科er and simpler than the access token itself?

Joe,

With OAuth 1.0, it's important to keep in mind which pieces are happening "server-to-server" and which pieces involve the browser ("user agent"). The "point" of OAuth, if you like, is to get a server-side access token and secret to the consumer's back-end server, without ever having the secret pass through the browser.

With this in mind: when a user authorizes a request token, the "callback" happens through the user-agent, via HTTP redirection. In other words, any data (i.e. a verifier code and the request token but NOT the request token SECRET) in the callback is "seen" by the browser. This is why an access token (and secret) can't be parameters of the callback step: these need to be communicated directly from server-to-server, not via the browser.