OAuth 2.0 Simplified Guide
OAuth 2.0 is the industry-standard protocol for authorization. It focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
Access Tokens
An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server. Access tokens do not convey user identity or any other information about the user to the OAuth client. These are only used to make requests to the resource server.
Refresh Tokens
An OAuth Refresh Token is a string that the OAuth client can use to get a new access token without the user's interaction. A refresh token must not allow the client to gain any access beyond the scope of the original grant.
The refresh token enables authorization servers to use short lifetimes for access tokens without needing to involve the user when the token expires.
Scope
Scope limits an application's access to a user's account. An application can request one or more scopes. This information is presented to the user in the consent screen, and the access token issued to the application is limited to the scopes granted.
Grant Types
The most common OAuth grant types are:
Authorization Code: It is used by confidential and public clients to exchange an authorization code for an access token. After the user returns to the client via the redirect URL, the application gets the authorization code from the URL and use it to request an access token.
PKCE: It is an extension to the Authorization Code flow to prevent CSRF and authorization code injection attacks.
Client Credentials: It is used by clients to obtain an access token outside of the context of a user. This is used by clients to access resources about themselves rather than to access a user's resources.
Device Code: It is used by input-constrained devices in the device flow to exchange a previously obtained device code for an access token.
Refresh Token: It is used by clients to exchange a refresh token for an access token when the access token has expired. This allows clients to continue to have a valid access token without further interaction with the user.