Why it matters
OAuth misunderstanding causes vulnerabilities. Understanding the flow properly is worth learning.
Advertisement
The architecture
Actors: resource owner (user), client (app), authorization server (Google, etc.), resource server (API).
Flow: client redirects user to auth server; user authorizes; auth server redirects to client with code; client exchanges code for token.
Advertisement
How it works end to end
Access token: short-lived (minutes-hours). Used to access resource server.
Refresh token: long-lived. Get new access tokens without re-consent.
Scopes: limit what token can access.
PKCE: Proof Key for Code Exchange. Required for public clients.
OpenID Connect: OAuth + identity layer. Standard for SSO.