Back to library

🔐OAuth 2.0 Flows Explained

Understand every OAuth 2.0 flow — auth code, PKCE, client credentials, device — by name, by purpose, and by threat model, then ship a minimal client you can defend on a security review.

Applied14 drops~2-week path · 5–8 min/daytechnology

Phase 1The Roles, Tokens, and Trust Boundaries

Decode OAuth roles, tokens, and why redirects exist

4 drops

  1. OAuth is about delegation, not authentication

    6 min

    OAuth solves 'let this app do something on my behalf' — not 'prove who I am.' Confusing the two is the root of most OAuth bugs.

  2. Four roles, one dance

    6 min

    Every OAuth flow is the same four actors passing messages: resource owner, client, authorization server, resource server.

  3. Access tokens are bearer tickets — treat them that way

    7 min

    Whoever holds an access token can use it. There's no cryptographic binding to the user, the device, or the client by default.

  4. The redirect URI is the whole security model

    7 min

    The redirect URI is how the authorization server decides where to send the user and the code — which means it's also how attackers try to steal them.

Phase 2Walking The Authorization Code + PKCE Flow

Walk the authorization code and PKCE flow step by step

5 drops

  1. The auth request is a URL — read it like one

    7 min

    The initial authorization request is nothing more than a GET to the authorization server with specific query params. If you can read URLs, you can read OAuth.

  2. Consent is the only step the user sees

    6 min

    The consent screen is where the user grants delegation — it's the product UX of OAuth, and scopes are its vocabulary.

  3. The code is single-use, short-lived, and worthless alone

    7 min

    An authorization code is a bearer ticket with a ten-minute shelf life that must be redeemed by the same client that requested it.

  4. PKCE replaces the client secret with proof of origin

    8 min

    PKCE is a tiny hash trick that makes the authorization code flow safe for apps that can't keep a secret.

  5. The token response is the whole prize

    7 min

    One JSON blob contains everything the client needs: the access token, the refresh token, the expiry, and the actually-granted scope.

Phase 3Choosing The Right Flow For The Job

Compare implicit, client credentials, and device flows on tradeoffs

4 drops

  1. Your SPA just got a token in its URL. What do you do?

    8 min

    Your SPA just got a token in its URL. What do you do?

  2. Your service needs to call another service. No user in sight.

    7 min

    Your service needs to call another service. No user in sight.

  3. Your CLI can't open a browser. Now what?

    7 min

    Your CLI can't open a browser. Now what?

  4. Your refresh tokens aren't rotating. Silent data-breach time bomb.

    8 min

    Your refresh tokens aren't rotating. Silent data-breach time bomb.

Phase 4Ship A Minimal OAuth Client

Implement a minimal OAuth client against a real provider

1 drop

  1. Build a minimal OAuth client against a real provider

    25 min

    Build a minimal OAuth client against a real provider

Frequently asked questions

What's the difference between OAuth 2.0 and OpenID Connect?
This is covered in the “OAuth 2.0 Flows Explained” learning path. Start with daily 5-minute micro-lessons that build from fundamentals to hands-on application.
Why is the implicit flow considered deprecated for new apps?
This is covered in the “OAuth 2.0 Flows Explained” learning path. Start with daily 5-minute micro-lessons that build from fundamentals to hands-on application.
When should I use PKCE instead of a client secret?
This is covered in the “OAuth 2.0 Flows Explained” learning path. Start with daily 5-minute micro-lessons that build from fundamentals to hands-on application.
What's the actual risk if I skip the 'state' parameter?
This is covered in the “OAuth 2.0 Flows Explained” learning path. Start with daily 5-minute micro-lessons that build from fundamentals to hands-on application.
Why does the device flow exist when auth code already works?
This is covered in the “OAuth 2.0 Flows Explained” learning path. Start with daily 5-minute micro-lessons that build from fundamentals to hands-on application.

Related paths

🐍Python Decorators Introduction

Build one mental model for Python decorators that covers closures, argument passing, functools.wraps, and stacking — then ship a working caching or logging decorator from scratch in under 30 lines.

Applied~2-week path · 5-8 min/day

🦀Rust Lifetimes Explained

Stop reading `'a` as line noise and start reading it as scope arithmetic — one failing snippet at a time — until you can thread lifetimes through a small parser or iterator adapter without fighting the borrow checker.

Applied~2-week path · 5-8 min/day

☸️Kubernetes Core Concepts

Stop drowning in 30+ resource types. Build the mental model one primitive at a time -- pods, deployments, services, ingress, config -- then deploy a real app with rolling updates and health checks.

Applied~2-week path · 5-8 min/day

📈Big O Intuition

Stop treating Big O as math you memorized for an interview — build the intuition to spot O(n²) disasters, pick the right data structure without thinking, and rewrite a slow function from O(n²) to O(n) in under five minutes.

Foundations~2-week path · 5-8 min/day