The latest articles on DEV Community by Ying Tunyaporn (@tunyaporn_sub_a4c79). https://dev.to/tunyaporn_sub_a4c79 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3336770%2Fd0bb20ba-cb7d-48fe-9a0d-e5f40769ba83.jpg https://dev.to/tunyaporn_sub_a4c79 en Ying Tunyaporn Sun, 03 Aug 2025 16:46:36 +0000 https://dev.to/tunyaporn_sub_a4c79/understanding-oauth2-a-beginner-friendly-guide-3e4o https://dev.to/tunyaporn_sub_a4c79/understanding-oauth2-a-beginner-friendly-guide-3e4o <h3> Introduction </h3> <p>I had heard about OAuth2 many times, but I never really understood what it was, since I had never worked on implementing authentication and authorization myself.<br> If you are in the same boat, this post is for you!</p> <p>Before we jump into OAuth2, let's review some basic terminology you should know:</p> <h4> Authentication </h4> <ul> <li>is the step that you verify the identity of the user.</li> <li>verifying <strong>who you are</strong> </li> </ul> <h4> Authorization </h4> <ul> <li>is the step that you verify the permission of the user.</li> <li>verifying <strong>what you're allowed to do</strong> </li> </ul> <h2> What is OAuth2? </h2> <p>OAuth2 is a security standard that allows one application to access user data from another application on the user's behalf <strong>without needing the user's password</strong>.</p> <blockquote> <p>For example, when you log into a website using your Google account, OAuth2 allows that website to access your data without seeing your password.</p> </blockquote> <p>Many organizations provide authorization servers that follow the OAuth2 framework, such as Okta, Keycloak, Auth0, and AWS Cognito.</p> <p>The main terminologies in OAuth2</p> <ol> <li> <strong>Resource Owner</strong> is the end user who owns the data.</li> <li> <strong>Client</strong> is the application that wants to access data.</li> <li> <strong>Authorization Server</strong> is the server that knows about resource owners, handles the login process, and issues tokens.</li> <li> <strong>Resource Server</strong> is the data provider that hosts the protected data.</li> </ol> <h3> Common Grant Types </h3> <p>Each grant type is for different use cases</p> <h4> 1. Authorization Code </h4> <p><strong>📌 Use case</strong><br> When an <strong>end user is involved</strong>, and the client is a trusted backend server.</p> <p><strong>📌 How it works</strong></p> <ul> <li>After the user authorizes, the client receives an <strong>authorization code</strong> from the authorization server.</li> <li>The client sends <strong>authorization code</strong> with the <strong>client secret</strong> for an access token.</li> <li>The authorization server issues the <strong>access token</strong> if valid.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5gkdgta0detmz7kbjm0u.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5gkdgta0detmz7kbjm0u.jpg" alt="OAuth2 Authorization Code diagram" width="800" height="552"></a></p> <p><strong>📝 Note:</strong></p> <ul> <li>The client in this diagram represents both the frontend and backend together. In practice, the frontend handles redirecting the user to the provider, while the backend exchanges the code for tokens.</li> <li>The client must be registered with the authorization server before it can request tokens and access protected resources.</li> </ul> <h4> 2. PKCE </h4> <p>PKCE = Proof key for code exchange</p> <p><strong>📌 Highlight</strong><br> very similar to the authorization code, but no client secret is involved</p> <p><strong>📌 Use case</strong><br> When an <strong>end user is involved</strong>, but the client <strong>cannot safely store a client secret</strong>, such as a JavaScript application.</p> <p><strong>📌 How it works</strong></p> <ul> <li>The client generates a <strong>code verifier</strong> and <strong>code challenge</strong>.</li> <li>The <strong>code challenge</strong> is sent in the initial authorization request.</li> <li>After the user authorizes, the client receives an <strong>authorization code</strong>.</li> <li>The client sends the <strong>authorization code</strong> along with the <strong>code verifier</strong> for an access token.</li> <li>The authorization server checks if the original code challenge matches the newly calculated one using the code verifier and issues the <strong>access token</strong> if valid.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9udg2xg8lqsg57tqmlo3.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9udg2xg8lqsg57tqmlo3.jpg" alt="OAuth2 PKCE diagram" width="800" height="578"></a></p> <h4> 3. Client Credentials </h4> <p><strong>📌 Use case</strong><br> When two backend applications communicate with each other, and <strong>an end user is not involved</strong>.</p> <p><strong>📌 How it works</strong></p> <ul> <li>The client authenticates using client ID and <strong>client secret</strong>.</li> <li>The authorization server returns the <strong>access token</strong> directly.</li> </ul> <h4> 4. Refresh Token </h4> <p><strong>📌 Use case</strong><br> When the access token expires, behind the scenes, the client application initiates this flow without involving the end user.</p> <p><strong>📌 How it works</strong></p> <ul> <li>The client stores a <strong>refresh token</strong> after the initial login.</li> <li>When the <strong>access token</strong> expires, the client sends the refresh token to get a new one.</li> </ul> <h3> Bonus: How the Resource Server Validates Tokens </h3> <h4> 1. Validating remotely </h4> <ul> <li>The token is in an opaque format (a random string with no readable info)</li> <li>The resource server will send the access token to the authorization server to validate by calling the introspection endpoint exposed by the authorization server.</li> </ul> <h4> 2. Validating locally </h4> <ul> <li>The token is JWT (JSON Web Token) format</li> <li>The resource server can verify the token itself.</li> <li>The secure approach is to use a JWKS (JSON Web Key Set). <ul> <li>The authorization server has a private key to issue the access token</li> <li>The resource server uses a public key to validate it.</li> </ul> </li> </ul> <h3> Conclusion </h3> <ul> <li>OAuth2 is a security standard that helps with authorization between applications.</li> <li>It allows applications to access user data without needing the user's password.</li> <li>It provides different grant types to support different use cases: <ul> <li>When an end user is involved <strong>→ Authorization Code</strong> </li> <li>When an end user is involved but the client can’t store a secret <strong>→ PKCE</strong> </li> <li>When no end user is involved (server-to-server) <strong>→ Client Credentials</strong> </li> <li>When the access token expires <strong>→ Refresh Token</strong> </li> </ul> </li> </ul> <h3> Reference </h3> <p>I learned a lot from this Udemy course: <a href="https://www.udemy.com/course/spring-security-zero-to-master/" rel="noopener noreferrer">Spring Security Zero to Master</a> on Spring Security, including OAuth2, which explained the grant types clearly. <br> Note: I’m not affiliated with this course — I just found it very helpful!</p> oauth2 beginnerdeveloper techexplained Ying Tunyaporn Sun, 27 Jul 2025 17:53:03 +0000 https://dev.to/tunyaporn_sub_a4c79/css-art-a-day-in-the-office-3e90 https://dev.to/tunyaporn_sub_a4c79/css-art-a-day-in-the-office-3e90 <p><em>This is a submission for <a href="https://dev.to/challenges/frontend/axero">Frontend Challenge: Office Edition sponsored by Axero, CSS Art: Office Culture</a>.</em></p> <h2> Inspiration </h2> <p>I enjoy creating beautiful front-end layouts and simple graphics. I found this challenge exciting because I don’t often get the chance to do this kind of creative work in my full-time job.</p> <p>My inspiration comes from my experience at the office. We have hot desks since we don't need to come in every day, a meeting room where we spend hours discussing ideas, and a canteen where we take breaks and grab snacks.</p> <h2> Demo </h2> <p><iframe height="600" src="https://codepen.io/Tunyaporn-Subsakorn/embed/XJmjPxv?height=600&amp;default-tab=result&amp;embed-version=2"> </iframe> </p> <h2> Journey </h2> <p>I started by drafting my idea for what my office would look like. <br> I tried to show how differently we arrange our desks, and show what we do apart from completing our tasks, like meeting with the team, taking a break, and chatting with our colleagues.</p> <h3> What I learned </h3> <ol> <li>Used <code>display: grid</code> to create the office layout.</li> <li>Used the <code>clip-path</code> property to shape elements.</li> <li>Used <code>position: relative</code> and <code>position: absolute</code> to place components precisely.</li> <li>Used <code>::before</code> and <code>::after</code> to add elements on top of the main element.</li> <li>Used the <code>animation</code> property to animate elements.</li> </ol> <p>Thank you for this challenge 🌷<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq17s11iax99bjq5acji2.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq17s11iax99bjq5acji2.jpg" alt="Screeenshot Demo Image"></a></p> frontendchallenge devchallenge css