π OAuth 2.0 Flows
OAuth (Open Authorization) is an open standard that allows applications to access resources on behalf of a user without requiring their password.
Example: When you log in to a new website using βLogin with Google,β you donβt give your Google password to that website. Instead, Google gives a temporary access token that allows limited access to your information.
𧩠Core Componentsβ
| Role | Description | Example |
|---|---|---|
| Resource Owner | The user who owns the data | You |
| Client | The app that wants access | Spotify |
| Authorization Server | Issues tokens after user consent | Google OAuth |
| Resource Server | Hosts the protected data | Google APIs |
π§ Why Multiple OAuth 2.0 Flows Existβ
Different app types have different security levels and capabilities.
- Web servers can store secrets safely.
- Mobile / SPA apps cannot.
- Machine-to-machine systems have no user at all.
Hence, OAuth 2.0 defines different flows for different use cases.
π OAuth 2.0 Flows
1οΈβ£ Authorization Code Flow (For Server-side Web Apps)β
Used by apps with a secure backend that can store a client secret.
π Stepsβ
- User clicks βLogin with Google.β
- App redirects the user to Googleβs OAuth endpoint.
- User logs in and approves permissions.
- Google redirects back with an authorization code.
- Backend exchanges that code (using clientid) for an access token and optional refresh token.
- Further Backend communicate securily using access_token
β Prosβ
- Very secure (tokens never exposed to the browser).
- Can get refresh tokens for long sessions.
β Consβ
- Requires a backend server.
- Server should use HTTPS for security
2οΈβ£ Authorization Code Flow with PKCE (For Mobile & SPAs)β
PKCE = Proof Key for Code Exchange
Used when the app cannot store a client_secret, e.g. mobile apps or SPA.
π How It Worksβ
- App generates a random code_verifier and a code_challenge (hash of it).
- code_verifier = SHA256(code_challenge)
- Sends
code_challengewith the auth request. - After login, receives the authorization code.
- Exchanges the code + original
code_verifierfor tokens. - Auth Server validates the hash to ensure itβs the same app that initiated login.
β Prosβ
- Secure even for public clients (no secret needed).
- Prevents authorization code interception attacks.
- No XSS attack possible as code_verifier is generated and stored in frontend app state not in local storage or something.
β Consβ
- Slightly more complex setup.
3οΈβ£ Implicit Flow (Deprecated)β
Used by SPAs before PKCE existed. Tokens were returned directly in the redirect URL.
β οΈ Why Not to Useβ
Tokens in URLs can be exposed to browser history, extensions, or logs. Now replaced by PKCE flow.
4οΈβ£ Client Credentials Flow (Machine-to-Machine)β
Used when no user is involved β just two backend services communicating.
β Prosβ
- Simple and efficient for service-to-service communication.
β Consβ
- Represents the application only, not a user.
- Must secure the client_secret.
5οΈβ£ Resource Owner Password Credentials (ROPC) Flow (Legacy)β
User provides their username and password directly to the app.
β οΈ Not Recommendedβ
Breaks OAuthβs purpose β the app could steal the password. Use only for trusted internal systems (and even then, avoid it).
6οΈβ£ Device Code Flow (For TVs / IoT Devices)β
Used when device has no browser or keyboard.
π How It Worksβ
- Device shows a code and asks user to visit a URL (e.g.,
google.com/device). - User logs in from another device and enters the code.
- Device polls the server until approved, then receives a token.
β Prosβ
- Works on limited-input devices.
β Consβ
- Slower, more complex UX.
π PKCE β Deep Dive
PKCE (Proof Key for Code Exchange) prevents attackers from stealing the authorization code.
| Step | Term | Description |
|---|---|---|
| 1 | code_verifier | Random string kept secret in the app |
| 2 | code_challenge | SHA256 hash of verifier sent to auth server |
| 3 | authorization_code | Received after user login |
| 4 | code_verifier again | Sent later to prove itβs the same app |
β
This ensures even if someone steals the authorization code, they canβt exchange it for tokens without the code_verifier.
π§° Security Concepts to Know
| Concept | Description |
|---|---|
| Access Token | Used to access protected resources (short-lived) |
| Refresh Token | Used to get new access tokens without login |
| Client Secret | Private credential for confidential clients |
| Scope | Defines what access is granted (e.g., email, profile) |
| Redirect URI | Callback URL after user authorization |
| State Parameter | Random string to prevent CSRF attacks |
stateparam is used like, when client redirect to auth provider it adds a random generate state in query param and store it locally. so when auth server redirect back to client it verifies that state should be present and same. The issue it solves is even if attacker tricks user to visit malicious link on redirect back client will know it is a csrf issue as token will be wrong or not present.
βοΈ Common Attacks & Mitigations
| Attack | Description | Prevention |
|---|---|---|
| Authorization Code Interception | Attacker steals code from redirect | Use PKCE |
| Token Replay | Reuse of old token | Short-lived tokens, use HTTPS |
| CSRF (Cross-site request forgery) | Fake redirect or callback | Use state param |
| Token Leakage in URLs | Tokens in fragment or query | Avoid Implicit Flow |
| Refresh Token Abuse | Compromised long-term token | Use rotation and revocation |
π OAuth 1.0 vs OAuth 2.0
| Feature | OAuth 1.0 | OAuth 2.0 |
|---|---|---|
| Signing method | Cryptographic signatures | Bearer tokens (simpler) |
| Ease of implementation | Complex | Easier, but requires HTTPS |
| Token type | Request/Access tokens | Access/Refresh tokens |
| Mobile/SPA support | Poor | Excellent (via PKCE) |
| Extensibility | Limited | Highly extensible |
| Security | Built-in signing | Relies on HTTPS + PKCE |
| Use today? | Deprecated | Standard |
OAuth 2.0 simplified the protocol but shifted more responsibility to developers for security.
π Extra Things You Should Know
- OIDC (OpenID Connect): Layer built on OAuth 2.0 for authentication (identity), adds
id_token(JWT). - JWT (JSON Web Token): Common token format β signed, optionally encrypted, self-contained.
- Token Introspection: Endpoint to verify token validity.
- Token Revocation: Endpoint to revoke access or refresh tokens.
- Scopes & Consent UI: Always request minimum scopes necessary for principle of least privilege.
- Use HTTPS always: OAuth 2.0 assumes all communication is encrypted.
- Avoid storing tokens in localStorage in SPAs β use memory or HTTP-only cookies instead.
π§ Quick Decision Table
| Use Case | Recommended Flow |
|---|---|
| Web App (Backend) | Authorization Code Flow |
| SPA / Mobile App | Authorization Code + PKCE |
| Service β Service | Client Credentials |
| Smart TV / IoT | Device Code Flow |
| Legacy System | Avoid, but ROPC if unavoidable |