All cheatsheets

Cheatsheets

OAuth 2.0 & OIDC

Auth-code + PKCE, tokens, scopes, OIDC, and the common attacks with their mitigations.

Visualize

OAuth 2.0 — Authorization Code + PKCE

The front- and back-channel flow, and why an intercepted code is useless.

App (client)Auth server

Press play to watch the flow.

52 entries

Roles & terminology6

Resource Owner

The user who owns the data and grants access.

Client (public vs confidential)

The app requesting access on the user's behalf.

Authorization Server (AS / IdP)

Authenticates the user and issues tokens.

Resource Server (API)

Hosts the protected APIs; validates access tokens.

Authorization Grant

The credential proving the user authorized the client.

OAuth 2.0 vs OpenID Connect

Authorization vs authentication — different jobs.

Authorization Code + PKCE (the modern default)3

Authorization Code + PKCE — full flow

THE recommended flow for web, SPA, and mobile apps.

/token exchange (code_verifier)

Back-channel POST that swaps the code for tokens.

code_challenge_method=S256

Use SHA-256, never plain.

Other grant types & flows6

Client Credentials (machine-to-machine)

Service-to-service auth, no user involved.

Refresh Token + rotation

Get fresh access tokens without re-login.

Reuse detection

Detect a stolen, replayed refresh token.

Device Authorization grant (RFC 8628)

Login on input-constrained devices (TVs, CLIs).

Implicit flow — DEPRECATED

Returned tokens in the URL fragment. Do not use.

Resource Owner Password (ROPC) — DEPRECATED

App collects the user's password directly. Avoid.

Tokens & claims8

Access token: opaque vs JWT

API credential — two shapes the AS may issue.

Refresh token

Long-lived credential to mint new access tokens.

OIDC ID token

A JWT proving WHO the user is (authentication).

Standard JWT claims

iss, sub, aud, exp, iat, nbf, jti — the registered set.

OIDC-specific claims

nonce, azp, at_hash, auth_time.

Scopes vs claims

What the client may do vs facts about the subject.

Audience (aud) validation

Reject tokens minted for a different recipient.

Issuer (iss) validation

Confirm the token came from the AS you trust.

Endpoints, discovery & validation9

/authorize endpoint

Front-channel: start login & consent.

/token endpoint

Back-channel: exchange a grant for tokens.

Token response

The JSON the /token endpoint returns.

/userinfo endpoint

OIDC: fetch user claims with an access token.

Token introspection (RFC 7662)

Ask the AS whether a token is currently active.

Revocation (RFC 7009)

Actively invalidate a token (e.g. on logout).

OIDC Discovery

.well-known/openid-configuration — auto-config.

JWKS (kid → public key)

The public keys used to verify token signatures.

Token validation steps

How a resource server should verify a JWT.

PKCE, state & nonce deep-dive4

PKCE: code_verifier

The high-entropy secret kept by the client.

The state parameter (CSRF)

Binds the callback to the request that started it.

nonce (replay protection)

Ties the ID token to a single auth request.

redirect_uri exact matching

The AS only redirects to a pre-registered URI.

Security attacks & mitigations8

Authorization-code interception

Stolen code on public clients → use PKCE.

Token leakage

Tokens exposed via URLs, logs, Referer, storage.

Open redirect via redirect_uri

Loose callback matching leaks the code.

CSRF via missing state

Attacker fixes their code onto your session.

Mix-up attack

Client confuses which AS issued a response.

alg:none / RS256→HS256 confusion

Forging tokens by abusing the alg header.

Replay via missing nonce

Reusing a captured ID token.

Refresh-token theft

A stolen long-lived token → rotation + detection.

Best practices8

Short-lived access tokens

Keep access-token lifetime small (5-15 min).

Best practice: store tokens carefully

httpOnly cookies or memory — never localStorage.

BFF (Backend-for-Frontend) pattern

A server holds the tokens; the SPA gets a cookie.

Never put tokens in URLs

Use headers/POST bodies, not query strings or fragments.

Validate every token server-side

Trust no token until signature + claims check out.

Request least-privilege scopes

Ask only for what the feature needs.

openid scope

Opt into OpenID Connect (get an ID token).

offline_access scope

Ask for a refresh token.