๐ Deep Dive into OAuth 2.0
OAuth 2.0 is the industry-standard protocol for authorization. It allows applications to securely access resources on behalf of a user, without sharing their credentials.
๐ง What is OAuth?
OAuth is a delegation protocol that lets users grant third-party applications limited access to their data, without giving away passwords.
Example: Allowing a website to access your Google Calendar or GitHub repos without sharing your login credentials.
๐งฉ Key Components
| Component | Description |
|---|---|
| Resource Owner | The user who owns the data |
| Client | The app requesting access |
| Authorization Server | Issues access tokens |
| Resource Server | Hosts protected data (API) |
๐ OAuth Grant Types (Flows)
1. ๐ Authorization Code (with PKCE)
Recommended for web/mobile apps. Uses an intermediate code for higher security.
Flow:
- User logs in and authorizes.
- App gets authorization code.
- App exchanges the code for an access token.
// Example exchange request
POST /token
grant_type=authorization_code
code=abc123
redirect_uri=https://app.com/callback
client_id=client123
client_secret=secret456
๐ PKCE (Proof Key for Code Exchange) adds extra protection for public clients like mobile apps.
2. ๐ค Client Credentials
Used for machine-to-machine communication. No user involved.
POST /token
grant_type=client_credentials
client_id=abc
client_secret=xyz
3. ๐งพ Resource Owner Password Credentials (Deprecated)
User provides username/password directly. Not recommended due to security risks.
4. ๐ Refresh Token
Used to renew access tokens without re-prompting the user.
POST /token
grant_type=refresh_token
refresh_token=abc123
client_id=xyz
๐งช OAuth Tokens
| Token Type | Description |
|---|---|
| Access Token | Used to access APIs |
| Refresh Token | Used to get a new access token |
| ID Token (OIDC) | Contains user identity info (JWT) |
Tokens can be opaque or JWT-based.
๐ก๏ธ Security Best Practices
โ Always use PKCE for public clients (SPA, mobile)
โ Use HTTPS everywhere
โ Store tokens securely (never in localStorage)
โ Set short-lived access tokens + use refresh tokens
โ Implement scopes to limit access
โ Revoke tokens if suspicious behavior is detected
๐ OAuth vs OpenID Connect (OIDC)
- OAuth = Delegation (Authorization)
- OIDC = Identity Layer on top of OAuth (Authentication)
OIDC adds:
- ID token (who the user is)
- UserInfo endpoint
- Standard claims (email, name, etc.)
๐ Popular Providers & Tools
| Provider | Docs |
|---|---|
| https://developers.google.com/identity | |
| GitHub | https://docs.github.com/en/developers/apps |
| Auth0 | https://auth0.com/docs |
| Okta | https://developer.okta.com |
| Keycloak | https://www.keycloak.org |
Tools:
- Postman OAuth2 support
- OpenID Connect Playground
- OAuth 2.0 Token Introspection tools
๐ Further Reading
โ Summary
| Topic | Notes |
|---|---|
| Use Authorization Code Flow | For apps with user interaction |
| Use PKCE | For security in SPAs/mobile apps |
| Use Client Credentials | For service-to-service auth |
| Use Refresh Tokens | For long sessions |
| Never expose secrets | In public clients or repos |
| Prefer OpenID Connect | When identity is needed |
<< back to Guides