OAuth 2.0 is the industry-standard protocol for authorization, enabling applications to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access that account.
OAuth2 defines several grant types for different client scenarios. Choosing the right one is the most important architectural decision.
The most secure and commonly used flow for server-side applications. The client redirects the user to the authorization server, which returns an authorization code after user authentication. The client exchanges this code for an access token using its client secret.
User -> Client: Click "Login with Provider"
Client -> Auth Server: Redirect with client_id, redirect_uri, scope
Auth Server -> User: Login page
User -> Auth Server: Credentials
Auth Server -> Client: Authorization code (via redirect)
Client -> Auth Server: Code + client_secret -> Access Token
An extension to the authorization code flow designed for mobile and single-page applications where the client secret cannot be kept confidential. The client generates a code_verifier and sends a hash (code_challenge) in the initial request. The authorization server verifies the code verifier matches the challenge during token exchange, preventing interception attacks.
Used for server-to-server communication where no user is involved. The client authenticates directly with its own credentials (client ID and secret) to obtain an access token for accessing its own resources or APIs.
Previously used for SPAs. It returned the access token directly in the redirect URL fragment. Now considered less secure than PKCE and should not be used in new implementations.
Short-lived tokens (typically 15–60 minutes) that the client sends with each API request in the Authorization header. They should never be stored in localStorage for browser applications — use httpOnly cookies or in-memory storage to prevent XSS exfiltration.
Long-lived tokens (days to months) used to obtain new access tokens without requiring the user to re-authenticate. Refresh tokens should be stored securely and rotated on each use to limit the window of a leaked token.
Client -> Auth Server: Refresh Token + client_id
Auth Server -> Client: New Access Token (optional: new Refresh Token)
Client: Retry original API request with new Access Token
Get the full OAuth2 Implementation and unlock everything.
Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.
Access all interactive tools with complete data, all workload profiles, and the full scenario library.
Downloadable source code, configuration files, and working examples from every chapter.
Free updates for life. Every new chapter, tool, and improvement included.