OAuth Flows from the Frontend
Implement the Authorization Code flow with PKCE in a SPA, exchange the code for tokens, store access tokens safely, and avoid implicit flow.
What Is OAuth?
OAuth 2.0 is a delegation protocol: your app gets permission to act on the user's behalf at a third-party service (Google, GitHub, etc.) without ever seeing the user's password. Used for 'Sign in with Google', GitHub OAuth apps, and most modern auth.
Key Roles
Resource Owner: the user. Client: your app. Authorization Server: the OAuth provider (Google, Auth0). Resource Server: the API protected by the access token.
All lessons in this course
- XSS Prevention: Output Encoding CSP
- CSRF: SameSite Cookies and Tokens
- Content Security Policy: nonce and hash
- OAuth Flows from the Frontend