300-920 Question #28: Real Exam Question with Answer & Explanation

Question

Exhibit

Options

• Aby opening a dialog asking the end-user to paste his personal access token
• Bby completing an authorization code grant flow using the identifier and secret of an OAuth
• Cby embedding the access token of a Bot account
• Dby creating a guest token using the identifier and secret of a Guest Issuer application

Explanation

Option B is correct because the authorization code grant flow is the standard OAuth 2.0 server-side authentication pattern: the server uses its OAuth application's client identifier and secret to exchange an authorization code (obtained after a user authorizes the app) for an access token. That token is then embedded into the server-rendered HTML DOM so the client-side script can retrieve it on line 4.

Why the distractors are wrong:

• A is wrong because a server-side component renders automatically - it does not open dialogs or rely on a user to manually paste anything. That would be a client-side, manual flow.
• C is wrong because Bot account tokens authenticate a bot acting on its own behalf, not on behalf of a human user. Embedding a Bot token would grant bot-level access, not user-delegated access, which is inappropriate for this pattern.
• D is wrong because Guest Issuer tokens are designed to onboard temporary, non-authenticated guest users (people without accounts on the platform). This serves a different use case than authenticating a real user.

Memory tip: Think "Server = Secret." Only the authorization code grant flow (B) involves the server securely using a secret to exchange for a token on the back channel - keeping credentials out of the browser. If it involves a secret, it belongs on the server; if it involves a guest or a bot, it's for a different actor entirely.

No community discussion yet for this question.