OAuth Flows Visualized

Listen to this Post

OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts on HTTP services. Below are the key OAuth 2.0 flows visualized for better understanding.

Note: The Implicit Flow is no longer recommended due to security vulnerabilities. Consider using the Authorization Code Flow with PKCE for enhanced security.

You Should Know:

1. Authorization Code Flow (Recommended)

This is the most secure and widely used OAuth 2.0 flow. It involves an intermediary authorization code to exchange for an access token.

Steps:

  1. Client redirects the user to the Authorization Server with:
    https://auth-server.com/authorize? 
    response_type=code& 
    client_id=CLIENT_ID& 
    redirect_uri=CALLBACK_URL& 
    scope=read& 
    state=RANDOM_STRING 
    

2. User authenticates and approves the request.

  1. Authorization Server redirects back to the Client with an authorization code:
    CALLBACK_URL?code=AUTHORIZATION_CODE&state=RANDOM_STRING 
    
  2. Client exchanges the code for an access token:
    curl -X POST https://auth-server.com/token \ 
    -d "grant_type=authorization_code" \ 
    -d "code=AUTHORIZATION_CODE" \ 
    -d "redirect_uri=CALLBACK_URL" \ 
    -d "client_id=CLIENT_ID" \ 
    -d "client_secret=CLIENT_SECRET" 
    
  3. Authorization Server responds with an access token (and optionally a refresh token).

  4. Authorization Code Flow with PKCE (Proof Key for Code Exchange)

Enhances security for public clients (e.g., mobile apps).

Steps:

  1. Client generates a code verifier and code challenge:

    Generate a random code_verifier (Base64 URL-safe) 
    openssl rand -hex 32 | base64 | tr -d '\n=' | tr -- '+/' '-_'
    
    Compute SHA-256 hash (code_challenge) 
    echo -n "$CODE_VERIFIER" | openssl dgst -binary -sha256 | base64 | tr -d '\n=' | tr -- '+/' '-_' 
    

2. Client includes `code_challenge` in the authorization request.

3. Authorization Server returns an authorization code.

  1. Client sends both `code_verifier` and `code` to get the token.

3. Client Credentials Flow (Machine-to-Machine)

Used for server-to-server authentication.

Steps:

1. Client requests a token directly:

curl -X POST https://auth-server.com/token \ 
-d "grant_type=client_credentials" \ 
-d "client_id=CLIENT_ID" \ 
-d "client_secret=CLIENT_SECRET" \ 
-d "scope=api_access" 

2. Authorization Server returns an access token.

4. Resource Owner Password Flow (Legacy, Not Recommended)

Only use if other flows are not possible.

Steps:

1. Client sends user credentials directly:

curl -X POST https://auth-server.com/token \ 
-d "grant_type=password" \ 
-d "username=USERNAME" \ 
-d "password=PASSWORD" \ 
-d "client_id=CLIENT_ID" 

2. Authorization Server returns an access token.

What Undercode Say:

OAuth 2.0 is essential for secure API authentication. Always prefer Authorization Code Flow with PKCE for public clients and Client Credentials Flow for backend services. Avoid deprecated flows like Implicit and Password Grant due to security risks.

Additional Security Commands:

  • Check Token Validity (Linux):
    curl -H "Authorization: Bearer ACCESS_TOKEN" https://api.example.com/validate 
    
  • Revoke a Token:
    curl -X POST https://auth-server.com/revoke \ 
    -d "token=ACCESS_TOKEN" \ 
    -d "client_id=CLIENT_ID" \ 
    -d "client_secret=CLIENT_SECRET" 
    
  • Debug JWT Tokens (jq required):
    echo "JWT_TOKEN" | cut -d '.' -f 2 | base64 -d | jq 
    

Expected Output:

A secure OAuth 2.0 implementation using best practices with proper token validation and PKCE support.

Reference: OAuth 2.0 Documentation

References:

Reported By: Sahnlam Oauth – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image