Learn OAuth 2.0 - Get started as an API Security Expert

Explore OAuth 2.0 for third-party access by illustrating a resource owner, resources like emails, and a resource server such as Gmail, with a third-party app requesting secure access.

Understand the password anti-pattern where a third-party app gains direct access to a user’s password, risking Gmail, Drive, and Wallet, and learn why secure authorization prevents password transfer.

Explore how the email scheduling app requests access via the OAuth server, authenticates the resource owner with a login screen, issues a token, and grants access through the resource server.

OAuth 2.0 provides a standard for delegating access with tokens instead of passwords, enabling fine-grained, time-limited access to specific data for apps.

Explore the key OAuth 2.0 components, including actors, auth endpoints, and tokens, by examining inputs, outputs, and the contents of codes and tokens within a typical OAuth solution.

Identify the four OAuth actors—provider, resource provider, resource owner, and client—and their roles within the auth server, consent server, and token management.

Learn how the oauth flow uses resource owner, client, auth server, and resource server, with login, consent, endpoints, tokens, and grants securing access.

Learn OAuth 2.0 endpoints: authorization endpoint, token endpoint, redirect endpoint, and resource endpoint, with input and output parameters, grant types, and bearer-protected resources.

Understand how OAuth tokens grant access to resources, using a Paris subway ticket analogy: a valid token lets its holder access, while a valid-but-lost token can be used by others.

Explore OAuth tokens and credentials, including access and refresh tokens, authorization codes, and client credentials, and learn how to securely store and transport them using TLS.

Trace how a third-party app requests access to emails via the authorization endpoint, including the state parameter, and how the auth server issues a token for the resource server.

Explore the four OAuth flows, starting with the secure authorization code flow and its three-legged default approach. Learn how actors, endpoints, and tokens interact through grant types and requests.

Explains the authorization code flow, or three legged auth, where the auth server authenticates the resource owner and the client via client ID, client secret, and http basic.

Learn the authorization code grant workflow at the authorization endpoint, including obtaining a code, exchanging it for a token, and the roles of resource owner, client, and auth server.

Describe how the authorization code is exchanged at the token endpoint to obtain an access token, refresh token, and expiration, then use the bearer token to access protected resources.

Use the refresh flow to renew an access token by sending the refresh token to the token endpoint only. Receive a new access and refresh token without resource owner authentication.

Refresh tokens extend access by exchanging a valid refresh token at the token endpoint for a new access token (and often a new refresh token) in the authorization code flow.

Explore the OAuth 2.0 implicit flow, which returns an access token directly from the authorization endpoint, without a token endpoint or refresh tokens, suitable for client-side JavaScript and mobile apps.

Explain the resource owner password credentials flow, where the client uses the user's credentials to obtain tokens. Discuss trust-based use cases, security risks, and token handling with refresh tokens.

Discover how PKCE strengthens the authorization code grant for public clients by preventing authorization code interception attacks. Implement PKCE in every authorization code flow to improve API security.

Demonstrates how an unauthorized client hijacks the OAuth 2.0 flow by intercepting redirect and exchanging the authorization code for an access token, enabling the attacker to impersonate resource owner.

Explore how PKCE strengthens OAuth 2.0 by using a random code verifier and a derived code challenge, hashed with SHA-256 and base64 URL encoding to thwart attacks.