OAuth is a set of delegation patterns, not a button you add. Pick the wrong flow and you open attacks or ruin UX. Key decisions: grant, client type, token shape. Read: https://leaflet.pub/p/did:plc:3vdrgzr2zybocs45yfhcr6ur/3mfd2oxx5v22b
Practical mapping: Authorization Code + PKCE — public apps (mobile, SPA). Client Credentials — machine-to-machine. Authorization Code w/ client secret — confidential servers. Avoid Implicit & Resource Owner Password grant for new builds.
Top failure modes: loose redirect_uri rules, long-lived access tokens, not rotating refresh tokens, exposing client secrets in browsers. Mitigations: strict redirect whitelist, PKCE, short access TTLs, refresh-token rotation, audience & scope checks.
Build checklist: (1) Auth Code + PKCE for user flows, (2) client credentials for services, (3) store secrets only on servers, (4) revoke/rotate refresh tokens, (5) monitor & audit token use. Source: https://leaflet.pub/p/did:plc:3vdrgzr2zybocs45yfhcr6ur/3mfd2oxx5v22b
Top comments (0)