Imagine you're building a mobile app that needs to access a user's calendar data from a third-party service. You could ask for their password—but that would expose their credentials and grant your app full access to their account. OAuth 2.0 solves this by allowing users to grant limited, revocable access to specific resources without sharing their password. It's the foundation of modern API security, used by Google, Facebook, GitHub, and thousands of other platforms.
This guide is written for developers who understand basic HTTP and authentication concepts but are new to OAuth 2.0. We'll cover the core components, compare the main grant types, walk through implementation steps, and highlight common pitfalls. By the end, you'll have a practical understanding of how to choose and implement the right flow for your application. This overview reflects widely shared professional practices as of May 2026; verify critical details against current official guidance where applicable.
Understanding OAuth 2.0 Roles and Core Concepts
The Four Roles
OAuth 2.0 defines four roles that interact during an authorization flow. The resource owner is typically the end-user who owns the data. The client is the application requesting access (e.g., your mobile app). The authorization server issues tokens after authenticating the resource owner and obtaining their consent. The resource server hosts the protected data and validates tokens before serving requests. Understanding these roles is crucial because each grant type involves different interactions among them.
Tokens and Scopes
The protocol uses two main token types: access tokens and refresh tokens. Access tokens are short-lived credentials that the client presents to the resource server. They are typically JSON Web Tokens (JWTs) containing claims about the user and the granted permissions. Refresh tokens are long-lived and used to obtain new access tokens without user interaction. Scopes define the specific permissions the client is requesting (e.g., 'read:calendar', 'write:photos'). The authorization server presents these scopes to the user during consent, and the client must request only the scopes it needs.
Authorization Grant Types
OAuth 2.0 defines several grant types for different client scenarios. The Authorization Code grant is the most secure for confidential clients (web apps) and mobile apps when combined with PKCE (Proof Key for Code Exchange). The Client Credentials grant is used for server-to-server communication where no user is involved. The Implicit grant (formerly for browser-based apps) is now deprecated due to security concerns; the Authorization Code with PKCE is recommended instead. The Resource Owner Password Credentials grant should only be used when the client is highly trusted (e.g., first-party apps) and is generally discouraged.
Choosing the Right Grant Type for Your Application
Web Applications (Server-Side)
For traditional web apps with a backend server, the Authorization Code grant is the standard choice. The client secret is stored securely on the server, and the authorization code is exchanged for tokens in a server-to-server call, preventing token exposure to the browser. This flow supports refresh tokens, enabling long-lived sessions without repeated logins.
Mobile and Native Applications
Mobile apps cannot securely store a client secret, so they rely on the Authorization Code grant with PKCE. PKCE adds a dynamically generated secret (code verifier) that is hashed and sent with the authorization request. The authorization server verifies the code challenge when the token is exchanged, preventing interception attacks. This is the recommended approach for all public clients.
Server-to-Server Communication
When two backend services need to communicate without user context, the Client Credentials grant is appropriate. The client authenticates directly with the authorization server using its client ID and secret, receiving an access token that represents the application itself. This is common for microservices architectures and API integrations.
Comparison Table
| Grant Type | Use Case | Client Type | Security Level |
|---|---|---|---|
| Authorization Code | Web apps with backend | Confidential | High |
| Authorization Code + PKCE | Mobile / SPA | Public | High |
| Client Credentials | Server-to-server | Confidential | High |
| Implicit (deprecated) | Legacy browser apps | Public | Low |
Step-by-Step Implementation of Authorization Code Flow
Prerequisites
Before you start, you need an authorization server (like Auth0, Keycloak, or a custom one) and a client application. Register your client with the authorization server to obtain a client ID and (for confidential clients) a client secret. Configure the redirect URI where the authorization server will send the user after consent.
Step 1: Initiate the Authorization Request
Your client redirects the user to the authorization server's /authorize endpoint with query parameters: response_type='code', client_id, redirect_uri, scope, and state (a random string for CSRF protection). For PKCE, also include code_challenge and code_challenge_method. Example: https://auth.server/authorize?response_type=code&client_id=myapp&redirect_uri=https://myapp.com/callback&scope=read:calendar&state=abc123&code_challenge=E9Melho...&code_challenge_method=S256
Step 2: User Authentication and Consent
The authorization server authenticates the user (via login form) and presents a consent screen listing the requested scopes. The user approves or denies the request. If approved, the server redirects back to your redirect URI with an authorization code and the original state parameter. Your client must verify that the state matches the one sent earlier to prevent CSRF attacks.
Step 3: Exchange the Code for Tokens
Your backend server makes a POST request to the /token endpoint with grant_type='authorization_code', code, redirect_uri, and client_id (plus client_secret for confidential clients). For PKCE, include code_verifier. The authorization server validates the request and returns an access token, refresh token (if requested), and token type (typically 'Bearer').
Step 4: Use the Access Token
Your client includes the access token in the Authorization header of API requests: Authorization: Bearer <access_token>. The resource server validates the token (e.g., by checking its signature and expiration) and serves the requested data. When the token expires, use the refresh token to obtain a new one without user interaction.
Common Implementation Pitfalls and How to Avoid Them
Insecure Storage of Tokens
Storing access tokens in browser local storage or cookies without proper security is a common mistake. For web apps, use server-side sessions and store tokens in HTTP-only, secure cookies. For mobile apps, use the platform's secure keychain (iOS Keychain, Android Keystore). Never expose tokens in URLs or client-side logs.
CSRF Attacks via State Parameter
Without the state parameter, an attacker can trick a user into authorizing a malicious client. Always generate a cryptographically random state value and verify it on the callback. For PKCE flows, the code_challenge serves a similar purpose, but the state parameter is still recommended.
Improper Scope Validation
Clients often request more scopes than needed, and resource servers may not validate scopes properly. Always request the minimal set of scopes required for your functionality. On the resource server side, check that the token's scope includes the necessary permissions before serving the request. Failure to do so can lead to privilege escalation.
Token Leakage in Logs or Error Messages
Access tokens can be inadvertently exposed in server logs, error responses, or debug output. Ensure that your logging framework masks or omits token values. In API responses, never include the access token in the body or URL; use the Authorization header only.
Real-World Scenarios: Applying OAuth 2.0
Scenario 1: Third-Party Calendar Integration
A team building a project management tool wants to integrate with Google Calendar to show deadlines. They choose the Authorization Code grant with PKCE because their app is a single-page application. They register their client with Google, request the 'calendar.readonly' scope, and implement the PKCE flow. After the user grants consent, they store the refresh token securely on their backend and use it to fetch new access tokens as needed. This allows them to display calendar events without storing user passwords.
Scenario 2: Microservice Authentication
A company with a microservices architecture needs internal services to authenticate to each other. They set up an internal authorization server using Keycloak. Each service is registered as a confidential client and uses the Client Credentials grant to obtain tokens. The tokens are scoped to specific actions (e.g., 'order:read', 'payment:write'). The resource server validates the token's scope before processing requests. This approach centralizes authentication and simplifies key management.
Scenario 3: Mobile Banking App
A financial institution develops a mobile banking app. They use the Authorization Code grant with PKCE and add additional security measures: certificate pinning, biometric authentication for token refresh, and short access token lifetimes (5 minutes). They also implement token revocation on the server side so that if a device is lost, tokens can be invalidated immediately. This layered approach balances security with user experience.
Frequently Asked Questions
What is the difference between OAuth 2.0 and OpenID Connect?
OAuth 2.0 is designed for authorization—granting access to resources. OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0 that adds an ID token (a JWT containing user identity claims). If you need to authenticate users (log them in), use OIDC. If you only need to access APIs on their behalf, OAuth 2.0 alone may suffice.
Can I use OAuth 2.0 without HTTPS?
No. OAuth 2.0 requires TLS (HTTPS) for all endpoints to protect tokens and authorization codes from interception. Using HTTP exposes sensitive data to man-in-the-middle attacks. This is a non-negotiable security requirement.
How do I handle token expiration?
Access tokens are short-lived (often 1 hour). Use refresh tokens to obtain new access tokens transparently. If the refresh token expires or is revoked, prompt the user to re-authenticate. Implement a token refresh interceptor in your client that automatically attempts to refresh before the access token expires.
What is the best practice for token revocation?
Authorization servers typically provide a /revoke endpoint. When a user logs out or you suspect a token compromise, call this endpoint to invalidate the token. For long-lived refresh tokens, consider rotating them—issuing a new refresh token with each refresh and invalidating the old one.
Next Steps and Resources
Implement a Simple Flow
Start by setting up a local authorization server using a tool like Keycloak or an open-source library (e.g., Spring Security, Passport.js). Create a simple client that implements the Authorization Code grant with PKCE. Test the flow end-to-end, paying attention to error handling and state validation.
Review Security Best Practices
Read the OAuth 2.0 Threat Model and Security Considerations (RFC 6819) and the OAuth 2.0 for Browser-Based Apps (RFC 8252). These documents provide authoritative guidance on secure implementation. Also, consider using a well-vetted library rather than implementing the protocol from scratch.
Plan for Production
Before going live, conduct a security review: verify that tokens are stored securely, that redirect URIs are validated exactly, and that scopes are enforced on the resource server. Set up monitoring for failed token validations and unusual token usage patterns. Keep your authorization server and libraries up to date to patch vulnerabilities.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!