I remember one of the reasons access code is in memory. When a code is
turned into a token, the code is removed. Thus, the code can only be
used once and only once to obtain an access token. This can be
mitigated of course by timeouts on the access code.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com