OAuth 2.0 Protocol Overview and Authorization Flows

OAuth 2.0 is an authorization framework that enables third‑party applications to obtain limited access to HTTP resources without exposing user credentials. It defines four service roles: Resource Owner, Resource Server, Client, and Authorization Server.

Core concepts include access tokens, refresh tokens, redirect URIs, scopes, and state parameters, which together control the lifetime and permissions of delegated access.

Authorization flow typically follows these steps:

User initiates authorization by accessing the client application.

Client redirects the user to the authorization server with parameters such as response_type, client_id, redirect_uri, scope, and state.

User authenticates and consents to the requested scopes.

Authorization server redirects back to the client’s redirect_uri with an authorization code (or token in implicit flow).

Client exchanges the code for an access token (and optionally a refresh token) by calling the token endpoint.

Resource server validates the access token and serves the protected resource.

Grant Types

Authorization Code Grant – most common for server‑side applications. Example request:

GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https://client.example.com/cb HTTP/1.1
Host: server.example.com

Successful response includes a code parameter that the client exchanges for an access token.

Implicit Grant – used by pure front‑end apps. The token is returned directly in the URL fragment:

GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb HTTP/1.1
Host: server.example.com

Redirect example:

HTTP/1.1 302 Found
Location: https://client.example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA&token_type=example&expires_in=3600&state=xyz

Resource Owner Password Credentials Grant – suitable when the client is highly trusted. Example token request:

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=password&username=johndoe&password=A3ddj3w

Client Credentials Grant – for machine‑to‑machine communication. Example request:

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials

Token responses are JSON objects containing at least access_token and token_type, with optional expires_in, refresh_token, and scope. Example success response:

{
  "access_token": "2YotnFZFEjr1zCsicMWpAA",
  "token_type": "example",
  "expires_in": 3600,
  "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
  "example_parameter": "example_value"
}

When an access token expires, the client can obtain a new one using the refresh token:

https://b.com/oauth/token?grant_type=refresh_token&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_token=REFRESH_TOKEN

The article also lists relevant RFCs (RFC 6749, RFC 6750, etc.) and provides additional reading links.