LOGBOOK

HELP

Quiz Entry - updated: 2026.07.01

Why can't you see OAuth steps 5–8 in the ZAP browser proxy, and where do the ID/Access tokens actually live?

Those steps are server-to-server (back channel) between the web app's backend and the authorization server, so they never pass through the browser the proxy is watching — the tokens end up on the app's server.

A browser proxy like ZAP can only see traffic that flows through the browser:

  • Visible (front channel): the user ↔ web app, and the user ↔ authorization server login page — the browser is a party to these.
  • Invisible (back channel): the web app's backend ↔ the authorization server (/token exchange, token issuance). These are direct server-to-server HTTPS calls the browser is never part of.

Because this is a server-side web application, the authorization code exchange and the resulting ID Token and Access Token stay on the app's server, never reaching the browser. (A demo app can even re-display them in the page GUI just so you can inspect what you'd otherwise never see.)

Tip: "If the browser isn't a participant, your browser proxy can't see it." Keeping front-channel vs back-channel straight explains most "why is this request missing in ZAP?" puzzles.

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 01, 2026