I have finally gotten a chance to dive into the weeds of the OAuth2 protocol and ask all why questions around its components and design ๐
I have posted my notes and thoughts as the article that covers:
- ๐คWhy do we need OAuth2 and what were the alternatives before it came?
- ๐คThe OAuth2 roles, the general workflow and TOFU
- ๐คOAuth2 Client Applications, Static Registration and Credentials
- ๐Authorization Servers and their typical API
- ๐๏ธAccess tokens. Why do we need them?
- ๐ Whatโs the point of having access tokens and what they represent?
- ๐OAuth2 Scopes. What do they really mean?
- ๐ OAuth2 Authorization Code Flow. Why is it designed this way? The PKCE extension.
- ๐ OAuth2 Implicit Flow. Whatโs so implicit about it? Why it was created in OAuth2.0 and deprecated in the OAuth2.1 Draft
- ๐ค OAuth2 Client Credentials Flow or how to access the Resource Server on Client Application behalf?
- ๐ OAuth2 ROC Flow and why was it โdeprecatedโ from day one?
- ๐ OAuth2 Device Flow or how to do OAuth2 when there is no browser on your target device?
- ๐บ๏ธ Guide how to pick the right flow for your use case
Hope someone find this helpful ๐
Top comments (0)