DEV Community

Cover image for What's OAuth2, anyway?
Roman Glushko
Roman Glushko

Posted on

What's OAuth2, anyway?

I have finally gotten a chance to dive into the weeds of the OAuth2 protocol and ask all why questions around its components and design 🙌

I have posted my notes and thoughts as the article that covers:

  • 🤔Why do we need OAuth2 and what were the alternatives before it came?
  • 🤝The OAuth2 roles, the general workflow and TOFU
  • 🤖OAuth2 Client Applications, Static Registration and Credentials
  • 🔒Authorization Servers and their typical API
  • 🎟️Access tokens. Why do we need them?
  • 🔄 What’s the point of having access tokens and what they represent?
  • 📚OAuth2 Scopes. What do they really mean?
  • 💃 OAuth2 Authorization Code Flow. Why is it designed this way? The PKCE extension.
  • 💃 OAuth2 Implicit Flow. What’s so implicit about it? Why it was created in OAuth2.0 and deprecated in the OAuth2.1 Draft
  • 🤖 OAuth2 Client Credentials Flow or how to access the Resource Server on Client Application behalf?
  • 🔑 OAuth2 ROC Flow and why was it “deprecated” from day one?
  • 📟 OAuth2 Device Flow or how to do OAuth2 when there is no browser on your target device?
  • 🗺️ Guide how to pick the right flow for your use case

The full article ⬅️

Hope someone find this helpful 🙌

Top comments (0)