Cheatsheets
OAuth 2.0 & OIDC
Auth-code + PKCE, tokens, scopes, OIDC, and the common attacks with their mitigations.
Visualize
OAuth 2.0 — Authorization Code + PKCE
The front- and back-channel flow, and why an intercepted code is useless.
Press play to watch the flow.
52 entries
Roles & terminology6
Resource OwnerThe user who owns the data and grants access.
Client (public vs confidential)The app requesting access on the user's behalf.
Authorization Server (AS / IdP)Authenticates the user and issues tokens.
Resource Server (API)Hosts the protected APIs; validates access tokens.
Authorization GrantThe credential proving the user authorized the client.
OAuth 2.0 vs OpenID ConnectAuthorization vs authentication — different jobs.
Authorization Code + PKCE (the modern default)3
Authorization Code + PKCE — full flowTHE recommended flow for web, SPA, and mobile apps.
/token exchange (code_verifier)Back-channel POST that swaps the code for tokens.
code_challenge_method=S256Use SHA-256, never plain.
Other grant types & flows6
Client Credentials (machine-to-machine)Service-to-service auth, no user involved.
Refresh Token + rotationGet fresh access tokens without re-login.
Reuse detectionDetect a stolen, replayed refresh token.
Device Authorization grant (RFC 8628)Login on input-constrained devices (TVs, CLIs).
Implicit flow — DEPRECATEDReturned tokens in the URL fragment. Do not use.
Resource Owner Password (ROPC) — DEPRECATEDApp collects the user's password directly. Avoid.
Tokens & claims8
Access token: opaque vs JWTAPI credential — two shapes the AS may issue.
Refresh tokenLong-lived credential to mint new access tokens.
OIDC ID tokenA JWT proving WHO the user is (authentication).
Standard JWT claimsiss, sub, aud, exp, iat, nbf, jti — the registered set.
OIDC-specific claimsnonce, azp, at_hash, auth_time.
Scopes vs claimsWhat the client may do vs facts about the subject.
Audience (aud) validationReject tokens minted for a different recipient.
Issuer (iss) validationConfirm the token came from the AS you trust.
Endpoints, discovery & validation9
/authorize endpointFront-channel: start login & consent.
/token endpointBack-channel: exchange a grant for tokens.
Token responseThe JSON the /token endpoint returns.
/userinfo endpointOIDC: fetch user claims with an access token.
Token introspection (RFC 7662)Ask the AS whether a token is currently active.
Revocation (RFC 7009)Actively invalidate a token (e.g. on logout).
OIDC Discovery.well-known/openid-configuration — auto-config.
JWKS (kid → public key)The public keys used to verify token signatures.
Token validation stepsHow a resource server should verify a JWT.
PKCE, state & nonce deep-dive4
PKCE: code_verifierThe high-entropy secret kept by the client.
The state parameter (CSRF)Binds the callback to the request that started it.
nonce (replay protection)Ties the ID token to a single auth request.
redirect_uri exact matchingThe AS only redirects to a pre-registered URI.
Security attacks & mitigations8
Authorization-code interceptionStolen code on public clients → use PKCE.
Token leakageTokens exposed via URLs, logs, Referer, storage.
Open redirect via redirect_uriLoose callback matching leaks the code.
CSRF via missing stateAttacker fixes their code onto your session.
Mix-up attackClient confuses which AS issued a response.
alg:none / RS256→HS256 confusionForging tokens by abusing the alg header.
Replay via missing nonceReusing a captured ID token.
Refresh-token theftA stolen long-lived token → rotation + detection.
Best practices8
Short-lived access tokensKeep access-token lifetime small (5-15 min).
Best practice: store tokens carefullyhttpOnly cookies or memory — never localStorage.
BFF (Backend-for-Frontend) patternA server holds the tokens; the SPA gets a cookie.
Never put tokens in URLsUse headers/POST bodies, not query strings or fragments.
Validate every token server-sideTrust no token until signature + claims check out.
Request least-privilege scopesAsk only for what the feature needs.
openid scopeOpt into OpenID Connect (get an ID token).
offline_access scopeAsk for a refresh token.