OAuth20 Study Notes
Everything on SkillVeris tagged OAuth20 Study Notes — collected across the glossary, study notes, blog, and cheat sheets.
30 resources across 1 library
Study Notes(30)
Access Tokens and JWTs
Access tokens are the credentials a client presents to a resource server, and JWTs are the most common self-contained format for encoding them.
Authorization Code with PKCE
The Authorization Code grant is OAuth 2.0's most secure and widely used flow, and PKCE hardens it further so it is safe for public clients like single-page app…
Building an OAuth Client
A step-by-step walkthrough of implementing the OAuth 2.0 authorization code flow with PKCE from registration through token exchange.
Choosing the Right Grant
OAuth 2.0 offers several grant types built for different trust boundaries; picking the wrong one is one of the most common real-world sources of OAuth vulnerab…
Common OAuth Vulnerabilities
A survey of the recurring implementation mistakes that turn OAuth 2.0 deployments into attack surfaces, from code interception to login CSRF.
Deprecated Implicit and Password Grants
The Implicit and Resource Owner Password Credentials grants were early OAuth 2.0 patterns now formally deprecated in OAuth 2.1 due to fundamental security weak…
Implementing OAuth in a Web App
A practical guide to wiring the Authorization Code flow into a server-rendered web application, from callback handling to secure token storage and refresh rota…
OAuth 2.0 Roles and Terminology
A guided tour of the four OAuth 2.0 roles — resource owner, client, authorization server, resource server — and the core vocabulary you'll see in every spec an…
OAuth 2.0 vs OAuth 1.0
A technical comparison of OAuth 1.0's signed-request model against OAuth 2.0's bearer-token, multi-grant-type design.
OAuth Best Practices
The concrete, RFC 9700-aligned security practices every OAuth 2.0 implementation should follow, from PKCE to token storage.
OAuth for Mobile Apps
How native iOS and Android apps should implement OAuth 2.0 per RFC 8252: external user-agents, PKCE, claimed redirect URIs, and hardware-backed token storage.
OAuth for Single-Page Apps
Learn why browser-based SPAs must be treated as public OAuth clients, how PKCE secures the Authorization Code flow, and why the BFF pattern beats storing token…
OAuth Interview Questions
The OAuth 2.0 concepts and edge-case questions that come up most often in backend, security, and full-stack interviews.
OAuth Quick Reference
A condensed lookup of OAuth 2.0 grant types, standard endpoints, token parameters, and common error codes for day-to-day implementation work.
OAuth vs Authentication
Clears up the most common OAuth misconception: OAuth 2.0 is an authorization protocol, not an authentication protocol, and explains where OpenID Connect fits i…
OAuth with API Gateways
How API gateways centralize OAuth token validation, choose between JWT and introspection, enforce scope-based authorization, and apply per-client rate limits.
OAuth with OpenID Connect
Understand how OpenID Connect layers standardized authentication — ID tokens, claims, and the UserInfo endpoint — on top of OAuth 2.0's authorization framework.
PKCE in Depth
How Proof Key for Code Exchange binds an authorization request to its token exchange and why S256 is mandatory in modern OAuth deployments.
Redirect URI Validation
Why OAuth authorization servers must enforce exact, literal redirect_uri matching, and how open redirects and loose host checks turn into full code exfiltratio…
Refresh Tokens
Refresh tokens let a client obtain new access tokens without forcing the resource owner to re-authenticate, and how they're issued and rotated is central to OA…
Scopes and Consent
Scopes let a client request narrowly defined permissions, and the consent screen is where the resource owner explicitly approves exactly what's being granted.
Securing Token Endpoints
Hardening the OAuth token endpoint with strong client authentication, brute-force resistance, refresh token rotation, and sender-constrained tokens.
State and CSRF Protection
How the state parameter defeats login CSRF in OAuth flows, the entropy and storage requirements that make it effective, and why it complements PKCE.
The Authorization Code Flow
A step-by-step walkthrough of OAuth 2.0's most widely used grant type, the authorization code flow, including why PKCE is now required for public clients.
Showing 24 of 30.