Why it matters

OAuth misunderstanding causes vulnerabilities. Understanding the flow properly is worth learning.

Advertisement

The architecture

Actors: resource owner (user), client (app), authorization server (Google, etc.), resource server (API).

Flow: client redirects user to auth server; user authorizes; auth server redirects to client with code; client exchanges code for token.

OAuth authorization code flowRedirect to auth serveruser authorizesCode returnedto redirect URIExchange for tokenserver-to-serverPKCE required for public clients (mobile, SPA); prevents code interception
OAuth flow steps.
Advertisement

How it works end to end

Access token: short-lived (minutes-hours). Used to access resource server.

Refresh token: long-lived. Get new access tokens without re-consent.

Scopes: limit what token can access.

PKCE: Proof Key for Code Exchange. Required for public clients.

OpenID Connect: OAuth + identity layer. Standard for SSO.