In oauth you make a request using you client id/secret to get an authorization code. Then you make a second request to exchange the authorization code for access token. My question is:
Why is this two step process required instead of getting access token in the first place? How does it make the whole process more secure? Or is there another reason.
I'm talking about server side app (like php for example) requesting authorization from a remote server, not javascript.
It's possible to do it with a single request - it's called the implicit flow then. There is a single request with response_type set to token or id_token token.
The general idea of using access code (authorization flow) instead of directly returning the tokens is to hide them from the end user. The second request is done usually by the backend server instead of a browser.
You can find more details here: https://auth0.com/docs/api-auth/which-oauth-flow-to-use
Note: for complete answer read the comments.