I have finally gotten a chance to dive into the weeds of the OAuth2 protocol and ask all why questions around its components and design 🙌
I have posted my notes and thoughts as the article that covers:
- 🤔Why do we need OAuth2 and what were the alternatives before it came?
- 🤝The OAuth2 roles, the general workflow and TOFU
- 🤖OAuth2 Client Applications, Static Registration and Credentials
- 🔒Authorization Servers and their typical API
- 🎟️Access tokens. Why do we need them?
- 🔄 What’s the point of having access tokens and what they represent?
- 📚OAuth2 Scopes. What do they really mean?
- 💃 OAuth2 Authorization Code Flow. Why is it designed this way? The PKCE extension.
- 💃 OAuth2 Implicit Flow. What’s so implicit about it? Why it was created in OAuth2.0 and deprecated in the OAuth2.1 Draft
- 🤖 OAuth2 Client Credentials Flow or how to access the Resource Server on Client Application behalf?
- 🔑 OAuth2 ROC Flow and why was it “deprecated” from day one?
- 📟 OAuth2 Device Flow or how to do OAuth2 when there is no browser on your target device?
- 🗺️ Guide how to pick the right flow for your use case
Hope someone find this helpful 🙌
Top comments (0)