Author : MD TAREQ HASSAN | Updated : 2020/05/31

What is OAuth2

An open protocol to allow secure authorization in a simple and standard method from web, mobile, and desktop applications.

OAuth2 Players


   The OAuth2 authorization framework enables a third-party
   application to obtain limited access to an HTTP service, either on
   behalf of a resource owner by orchestrating an approval interaction
   between the resource owner and the HTTP service, or by allowing the
   third-party application to obtain access on its own behalf.

OAuth requires Authentication as first step but it does not care about authentication

How delegated authorization started

In past, if you wanted to see your friends that were already on Yelp or connect with them on Yelp or look at their reviews, what you had to do is you get to a form, choose the provider (email provider like Gmail) and you’d put in your email address and your password. Not your password for Yelp, your password for Gmail on Yelp. This is the state-of-the-art back then.

Same with Facebook at the time. If you wanted to see which of your friends were already on Facebook and you wanted to connect with them, Facebook would read in your contacts from Gmail or Yahoo or Hotmail and they would show you a list of all your contacts that were already on Facebook and give you the opportunity to connect with them.

We can see that this is really bad for a number of reasons. Of course, both Yelp and Facebook promised up and down, we’re just going to read your contacts, we’re not going to store your passwords, we won’t do anything with your contacts other than read them, but in this scenario, when we give our password from one site to another, we’re giving the keys to the kingdom.

And so we started this conversation about delegated authorization because this is really bad.


OAuth2 Players

OAuth2 Players

OAuth2 Players example


OAuth2 Concepts


OAuth2 in a Nutshell

OAuth2 in a Nutshell

OAuth2 dance


OAuth 2.0 overview Step 1

OAuth 2.0 overview Step 2

OAuth 2.0 overview Step 3

OAuth 2.0 overview Step 4

OAuth 2.0 overview Step 5

OAuth 2.0 overview Step 6

Protocol flow


  +--------+                               +---------------+
  |        |--(A)- Authorization Request ->|   Resource    |
  |        |                               |     Owner     |
  |        |<-(B)-- Authorization Grant ---|               |
  |        |                               +---------------+
  |        |
  |        |                               +---------------+
  |        |--(C)-- Authorization Grant -->| Authorization |
  | Client |                               |     Server    |
  |        |<-(D)----- Access Token -------|               |
  |        |                               +---------------+
  |        |
  |        |                               +---------------+
  |        |--(E)----- Access Token ------>|    Resource   |
  |        |                               |     Server    |
  |        |<-(F)--- Protected Resource ---|               |
  +--------+                               +---------------+

Flow types (grant types)

Grant types / Flow types exmples:

Authorization code flow

Authorization Code Grant Type

Courtesy: that-2019-oauth-and-oidc by dogeared

OAuth 2.0 Authorization code flow Step 1

OAuth 2.0 Authorization code flow Step 2

OAuth 2.0 Authorization code flow Step 3

OAuth 2.0 Authorization code flow Step 4

Authorization code flow example

Authorization Request

Authorization Response

Token Request

POST /token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

Basic Authentication and OAuth

Basic Authentication Style (RFC 7617): Base64(client_id + ":" + client_secret)

OAuth Style (RFC 6749): Base64(urlformencode(client_id) + ":" + urlformencode(client_secret))

Token Response

HTTP/1.1 200 OK
Content-Type: application/json
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "Bearer",
"expires_in": 3600,
"scope": ""

Authorization code flow with PKCE

OAuth 2.0 Authorization code flow with PKCE Step 1

OAuth 2.0 Authorization code flow with PKCE Step 2

The Client Credentials Grant Type

Used when client application itself is the resource owner

Client Credentials Grant Type

Resource Owner Password Credentials Grant Type

Refresh Token

Refresh Token

Who can use Refresh Token

Playing with OAuth2

See: dev-handy-sites#web-security

Which flow (grant type) do I use?

Response type


Token types

Note: “Authentication type: basic” means id and password are converted into Base64 string and added in the header of a request

OAuth 2.1

OAuth 2.1

2.0 flows

OAuth 2.0 flows

2.1 flows

OAuth 2.1 flows

Extending OAuth2

Extending OAuth2 - device flow

Device flow details:

RFC 8414 - OAuth discovery document

RFC 8414 is the authorization server metadata specification or more affectionately known as the OAuth discovery document. This allows us to query the authorization server itself, get back a JSON file with its capabilities and related end points, and then configure our applications. We don’t have to guess what’s available, the server will tell us. Once again, that is incredibly powerful.