OAuth 2.0 Flows and Token Types
Compare authorization code, implicit, client credentials, and device flows — and when to use each.
OAuth 2.0 Core Roles
OAuth 2.0 defines four roles. The Resource Owner is the user who owns data (e.g., their Google Drive files). The Client is the application requesting access. The Authorization Server issues access tokens (e.g., Google's OAuth server). The Resource Server hosts the protected data (e.g., Google Drive API). Understanding these roles clarifies each flow's purpose.
Authorization Code Flow
The authorization code flow is the correct flow for server-side web applications. The user authenticates at the authorization server, which redirects to the client with a short-lived authorization code. The client's server exchanges this code for tokens via a back-channel request. Tokens never pass through the browser, protecting them from browser history and referrer leakage.
All lessons in this course
- OAuth 2.0 Flows and Token Types
- PKCE: Securing Public Clients
- OpenID Connect Claims and ID Tokens
- OAuth Vulnerabilities and Attack Patterns