OAuth 2.0 Overview: Core Concepts, Authorization Flows, and Grant Types
This article provides a comprehensive introduction to OAuth 2.0, covering its purpose, core roles, token types, four main grant flows (authorization code, implicit, resource‑owner password, client credentials), token refresh mechanisms, and practical request/response examples for developers.
OAuth 2.0 is an open standard designed to delegate access to protected resources without exposing user credentials, commonly used for single‑sign‑on, third‑party login, and API authorization scenarios.
The framework defines four service roles: Resource Owner (the user), Resource Server (hosts protected data), Client (the application requesting access), and Authorization Server (issues tokens after authenticating the user and client).
Two token types are central: an access token that grants limited, time‑bound access to resources, and an optional refresh token that can be used to obtain a new access token without further user interaction.
Authorization Code Grant (the most widely used flow) separates user authentication from token issuance in two steps. The client redirects the user to the authorization endpoint, receives an authorization code, and then exchanges that code for an access token at the token endpoint.
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https://client.example.com/cb HTTP/1.1
Host: server.example.comPOST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https://client.example.com/cbThe successful token response is a JSON object containing access_token , token_type , expires_in , and optionally refresh_token .
{
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value"
}Implicit Grant is intended for pure front‑end applications that cannot keep a client secret. The access token is returned directly in the fragment part of the redirect URI.
GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb HTTP/1.1
Host: server.example.comLocation: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA&state=xyz&token_type=example&expires_in=3600Resource Owner Password Credentials Grant allows a highly trusted client to collect the user's username and password and exchange them directly for an access token.
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=johndoe&password=A3ddj3wClient Credentials Grant is used by server‑to‑server or command‑line applications that act on their own behalf, sending only their client ID and secret to obtain an access token.
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentialsWhen an access token nears expiration, the client can request a new one using the refresh token:
https://b.com/oauth/token?grant_type=refresh_token&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_token=REFRESH_TOKENReferences: RFC 5849, RFC 6749, RFC 6750, MAC authentication draft, and the OAuth 2.0 specification website.
IT Architects Alliance
Discussion and exchange on system, internet, large‑scale distributed, high‑availability, and high‑performance architectures, as well as big data, machine learning, AI, and architecture adjustments with internet technologies. Includes real‑world large‑scale architecture case studies. Open to architects who have ideas and enjoy sharing.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.