Articles

OAuth 2.0 Flows: Beyond the Buzzwords

March 15, 2026 8 min read

OAuth 2.0 is a protocol that allows third-party applications to access user data from another service on behalf of the user, without the user having to share their credentials.

Let’s see it in action. Imagine a photo printing service (let’s call it "PrintMyPics") that wants to access your photos stored on a cloud storage service ("CloudVault"). You want to grant PrintMyPics access to your photos, but you don’t want to give PrintMyPics your CloudVault username and password. This is where OAuth 2.0 shines.

Here’s a simplified flow for how this might work:

  1. You initiate the action: You go to PrintMyPics and click "Connect to CloudVault" to select photos for printing.

  2. PrintMyPics redirects you: PrintMyPics, acting as a "client application," redirects your browser to CloudVault’s authorization server. This redirect includes specific parameters:

    • client_id: Identifies PrintMyPics to CloudVault.
    • redirect_uri: The URL on PrintMyPics’ server where CloudVault should send the user back after authorization.
    • response_type=code: Indicates that PrintMyPics wants an authorization code.
    • scope: Specifies what permissions PrintMyPics is requesting (e.g., read_photos, list_albums).
    • state: A random string to prevent CSRF attacks, which PrintMyPics will check later.

    Your browser now shows the CloudVault login page.

  3. You authenticate with CloudVault: You log in to CloudVault with your username and password.

  4. You authorize the client: CloudVault then presents you with a consent screen: "PrintMyPics would like to access your photos (read_photos, list_albums). Do you approve?"

  5. You grant permission: You click "Approve."

  6. CloudVault redirects you back: CloudVault redirects your browser back to the redirect_uri specified by PrintMyPics. This redirect includes:

    • code: A short-lived, one-time-use authorization code.
    • state: The same random string that PrintMyPics sent earlier.

  7. PrintMyPics verifies and exchanges the code: Your browser lands on PrintMyPics. The PrintMyPics backend server receives this request, verifies the state parameter matches what it sent, and then uses the code to make a server-to-server request to CloudVault’s token endpoint. This request includes:

    • grant_type=authorization_code: Indicating it’s exchanging an authorization code.
    • code: The authorization code received.
    • redirect_uri: The same URI used in the initial redirect.
    • client_id: PrintMyPics’ client ID.
    • client_secret: A secret key that only PrintMyPics and CloudVault know, proving PrintMyPics’ identity.

  8. CloudVault issues tokens: CloudVault validates the code, client_id, and client_secret. If everything checks out, it responds with:

    • access_token: A token that PrintMyPics will use to make API calls to CloudVault on your behalf. This token has a limited lifespan.
    • token_type: Typically "Bearer."
    • expires_in: The number of seconds until the access_token expires.
    • refresh_token (optional): A token that PrintMyPics can use to obtain a new access_token when the current one expires, without requiring you to go through the authorization flow again.

  9. PrintMyPics accesses your data: Now, PrintMyPics can use the access_token to make requests to CloudVault’s API (e.g., GET /api/v1/photos) to retrieve your photos. Each API request includes the access_token in the Authorization header: Authorization: Bearer <access_token>.

This whole process, from you clicking "Connect" to PrintMyPics getting an access_token, is known as the Authorization Code Grant Type. It’s the most common and recommended flow for web applications because it keeps your credentials safe and uses a temporary code for the actual token exchange.

OAuth 2.0 defines several "grant types," which are different ways to obtain an access token, each suited for different client types and scenarios. The Authorization Code Grant is for web servers. Another common one is the Implicit Grant (though largely deprecated for security reasons, it was used by single-page JavaScript applications where the token was returned directly to the browser). For native mobile apps, a variation of the Authorization Code Grant with PKCE (Proof Key for Code Exchange) is now standard. Machine-to-machine communication uses the Client Credentials Grant, where no user is involved, and the client application accesses resources it owns.

The real power of OAuth 2.0 lies in its separation of concerns. The authorization server (CloudVault) handles user authentication and consent. The resource server (also CloudVault, but a different API endpoint) hosts the protected data. The client application (PrintMyPics) is the one requesting access. The access_token is the credential the client uses to prove it has been granted permission by the user to access specific resources.

A critical detail most developers overlook is the state parameter in the Authorization Code Grant. It’s not just a random string; it’s a CSRF protection mechanism. The client generates a unique state value before redirecting the user to the authorization server. It then stores this value (e.g., in the user’s session) and compares it to the state value returned by the authorization server in the callback. If they don’t match, it means the request might have been hijacked, and the client should reject the authorization. Failing to implement this check leaves the application vulnerable to attackers tricking users into authorizing actions they didn’t intend.

The next step in mastering OAuth 2.0 is understanding how to securely store and manage refresh tokens to maintain user sessions without constant re-authentication.

Want structured learning?

Take the full Http course →