How Does OAuth 20 Work?

By /

Listen to this Post

Featured Image
OAuth 2.0 is a secure authorization framework that enables applications to access user data from other services (e.g., Facebook, GitHub) without exposing user passwords. Below is a detailed breakdown of its workflow, along with practical commands and code snippets.

OAuth 2.0 Step-by-Step Workflow

[1.] Client Requests Access

  • The user clicks “Connect with 
    " (e.g., "Login with GitHub"). </li>
<li>Example HTTP request: 
[bash]
GET /authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=email HTTP/1.1
Host: accounts.google.com

[2.] Redirect to Authorization Server

  • The app redirects the user to the OAuth provider (e.g., Google, Facebook).
  • Example redirect URL: 
    https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=1234&redirect_uri=https://app.com/callback&scope=email

[3.] User Grants (or Denies) Permission

  • The user logs in and approves the requested permissions.

[4.] Authorization Code Issued

  • The provider sends an authorization code to the callback URL: 
    https://app.com/callback?code=AUTHORIZATION_CODE

[5.] Exchange Code for Access Token

  • The backend exchanges the code for an access token using curl: 
    curl -X POST https://oauth2.googleapis.com/token \
-d "code=AUTHORIZATION_CODE" \
-d "client_id=CLIENT_ID" \
-d "client_secret=CLIENT_SECRET" \
-d "redirect_uri=REDIRECT_URI" \
-d "grant_type=authorization_code"
  • Response: 
    {
"access_token": "ACCESS_TOKEN",
"refresh_token": "REFRESH_TOKEN",
"expires_in": 3600
}

[6.] Access Protected Resources

  • Use the `access_token` to fetch user data: 
    curl -H "Authorization: Bearer ACCESS_TOKEN" https://www.googleapis.com/oauth2/v1/userinfo

🔄 Token Expiration & Refresh

  • If the `access_token` expires, use the refresh_token: 
    curl -X POST https://oauth2.googleapis.com/token \
-d "client_id=CLIENT_ID" \
-d "client_secret=CLIENT_SECRET" \
-d "refresh_token=REFRESH_TOKEN" \
-d "grant_type=refresh_token"

You Should Know:

1. OAuth 2.0 Grant Types

  • Authorization Code (Most Secure for Web Apps)
  • Implicit (Deprecated)
  • Client Credentials (Machine-to-Machine)
  • Resource Owner Password (Legacy, Avoid if Possible)

2. Security Best Practices

  • Always use HTTPS.
  • Store `client_secret` securely (never in frontend code).
  • Use PKCE (Proof Key for Code Exchange) for mobile/native apps.
  • Limit token lifespan (expires_in).

3. Common OAuth Vulnerabilities

  • CSRF Attacks: Use `state` parameter.
  • Token Leakage: Avoid logging tokens.
  • Insufficient Scope Validation: Restrict permissions.

4. Debugging OAuth with `curl`

  • Check token validity: 
    curl -H "Authorization: Bearer ACCESS_TOKEN" https://www.googleapis.com/oauth2/v1/tokeninfo

5. OAuth 2.0 in Python (Flask Example)

from flask import Flask, redirect, request
import requests

app = Flask(<strong>name</strong>)

CLIENT_ID = "YOUR_CLIENT_ID"
CLIENT_SECRET = "YOUR_CLIENT_SECRET"
REDIRECT_URI = "https://your-app.com/callback"

@app.route('/login')
def login():
return redirect(f"https://accounts.google.com/o/oauth2/auth?response_type=code&client_id={CLIENT_ID}&redirect_uri={REDIRECT_URI}&scope=email")

@app.route('/callback')
def callback():
code = request.args.get('code')
token_response = requests.post(
"https://oauth2.googleapis.com/token",
data={
"code": code,
"client_id": CLIENT_ID,
"client_secret": CLIENT_SECRET,
"redirect_uri": REDIRECT_URI,
"grant_type": "authorization_code"
}
)
access_token = token_response.json().get('access_token')
user_info = requests.get(
"https://www.googleapis.com/oauth2/v1/userinfo",
headers={"Authorization": f"Bearer {access_token}"}
)
return user_info.json()

What Undercode Say:

OAuth 2.0 is essential for modern web security but must be implemented carefully. Always:

✔ Use short-lived tokens.

✔ Validate redirect URIs.

✔ Monitor for unusual token usage.

✔ Prefer backend token handling over frontend.

Expected Linux/Windows Commands for OAuth Debugging

 Check HTTPS redirects (Linux)
curl -v -L https://oauth-provider.com/auth

Monitor OAuth traffic (Windows)
netsh trace start capture=yes tracefile=oauth_trace.etl

Prediction:

OAuth 2.1 (upcoming standard) will enforce PKCE by default and deprecate insecure flows. Stay updated!

🔗 Further Reading:

Expected Output:

A secure OAuth 2.0 implementation with proper token handling, scope validation, and HTTPS enforcement.

IT/Security Reporter URL:

Reported By: Dharamveer Prasad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: