http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-10.5
code
REQUIRED. The authorization code generated by the
authorization server. The authorization code MUST expire
shortly after it is issued to mitigate the risk of leaks. A
maximum authorization code lifetime of 10 minutes is
RECOMMENDED. The client MUST NOT use the authorization code
more than once. If an authorization code is used more than
once, the authorization server MUST deny the request and SHOULD
revoke (when possible) all tokens previously issued based on
that authorization code. The authorization code is bound to
the client identifier and redirection URI.
authorization codes MUST be short lived and single use
access_token should be posted
原文:http://www.cnblogs.com/argb/p/4269529.html