In the OAuth protocol, a service consumer will ask a user to authorize a request token in the service provider domain, then exchanges the request token for a access token from the service provider.
I'm wondering why OAuth is designed to have two tokens in the protocol.
Why not just use one single token in this process? That is, the user would authorize the token, and the service consumer would retrieve info from the provider with the token.
For usability and security reasons.
From the Beginner’s Guide to OAuth:
https://hueniverse.com/beginners-guide-to-oauth-part-iii-security-architecture-e9394f5263b5
... While mostly an artifact of how the OAuth specification evolved, the two-Token design offers some usability and security features which made it worthwhile to stay in the specification. OAuth operates on two channels: a front-channel which is used to engage the User and request authorization, and a back-channel used by the Consumer to directly interact with the Service Provider. By limiting the Access Token to the back-channel, the Token itself remains concealed from the User. This allows the Access Token to carry special meanings and to have a larger size than the front-channel Request Token which is exposed to the User when requesting authorization, and in some cases needs to be manually entered (mobile device or set-top box).
===
Note that this question is a dupe of
Why must we "change temporary credentials for token credentials" in OAuth?
If the explanation from the Beginner’s Guide isn't clear, then go read @npdoty's take on it .