OAuth & Authentication Concepts

OAuth 2.0, OpenID Connect, JWT, JWKS, PKCE, and modern auth patterns

Security / Auth

Contents

OAuth 2.0 Overview Authorization Code Flow PKCE (Proof Key) Client Credentials Implicit & Device Flow Access & Refresh Tokens JWT (JSON Web Token) JWT Claims JWKS (JSON Web Key Set) OpenID Connect (OIDC) Scopes & Consent Token Introspection Security Best Practices Protocol Comparison

🔐

OAuth 2.0 Overview

OAuth 2.0 is an authorization framework that lets third-party apps access a user's resources without exposing their credentials. It delegates authentication to the service that hosts the user account.

Key Roles

Role	Description	Example
Resource Owner	The user who owns the data	You (the end user)
Client	The application requesting access	Your web/mobile app
Authorization Server	Issues tokens after authentication	Google, Auth0, Keycloak
Resource Server	Hosts the protected resources (API)	Google Drive API

OAuth 2.0 vs Authentication: OAuth 2.0 is an authorization protocol — it answers "what can this app do?" not "who is this user?" For authentication (identity), you need OpenID Connect (OIDC) built on top of OAuth 2.0.

OAuth 2.0 Grant Types

Client App Authorization Server Resource Server │ │ │ │─── Authorization Req ──▶│ │ │◀── Authorization Grant ──│ │ │ │ │ │─── Exchange Grant ──────▶│ │ │◀── Access Token ─────────│ │ │ │ │ │─── API Request + Token ──────────────────────────────▶│ │◀── Protected Resource ────────────────────────────────│

🔑

Authorization Code Flow

The most secure and commonly used flow for server-side web apps. The client never sees the user's credentials.

Step-by-Step Flow

1. User clicks "Login with Google" 2. App redirects to Authorization Server: GET /authorize? response_type=code& client_id=abc123& redirect_uri=https://app.com/callback& scope=openid profile email& state=random_csrf_token 3. User logs in & consents 4. Auth server redirects back: GET /callback?code=AUTH_CODE&state=random_csrf_token 5. App exchanges code for tokens (server-to-server): POST /token grant_type=authorization_code& code=AUTH_CODE& client_id=abc123& client_secret=SECRET& redirect_uri=https://app.com/callback 6. Auth server returns: { access_token, refresh_token, id_token }

Why use a code? The authorization code is exchanged server-side, so the access token never passes through the browser. The state parameter prevents CSRF attacks.

Token Exchange Request

// Server-side token exchange
const response = await fetch('https://auth.example.com/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  body: new URLSearchParams({
    grant_type: 'authorization_code',
    code: authCode,
    client_id: 'abc123',
    client_secret: process.env.CLIENT_SECRET,
    redirect_uri: 'https://app.com/callback'
  })
});
const { access_token, refresh_token, id_token } = await response.json();

🛡️

PKCE (Proof Key for Code Exchange)

PKCE (pronounced "pixy") protects the authorization code flow for public clients (SPAs, mobile apps) that cannot securely store a client secret.

How PKCE Works

Step	Action	Detail
1	Generate `code_verifier`	Random string, 43–128 chars (A-Z, a-z, 0-9, -, ., _, ~)
2	Create `code_challenge`	`BASE64URL(SHA256(code_verifier))`
3	Send challenge in /authorize	`code_challenge=...&code_challenge_method=S256`
4	Send verifier in /token	`code_verifier=ORIGINAL_STRING`
5	Server verifies	Server hashes verifier and compares with stored challenge

// Generate PKCE code_verifier and code_challenge
function generateCodeVerifier() {
  const array = new Uint8Array(32);
  crypto.getRandomValues(array);
  return btoa(String.fromCharCode(...array))
    .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
}

async function generateCodeChallenge(verifier) {
  const encoder = new TextEncoder();
  const data = encoder.encode(verifier);
  const digest = await crypto.subtle.digest('SHA-256', data);
  return btoa(String.fromCharCode(...new Uint8Array(digest)))
    .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
}

// Usage in authorization URL
const verifier = generateCodeVerifier();
const challenge = await generateCodeChallenge(verifier);
// Store verifier in sessionStorage for later use

const authUrl = `https://auth.example.com/authorize?
  response_type=code&
  client_id=abc123&
  code_challenge=${challenge}&
  code_challenge_method=S256&
  redirect_uri=https://app.com/callback`;

Always use S256: The plain method sends the verifier as the challenge (no hashing) — only use S256 in production.

🤖

Client Credentials Flow

Used for machine-to-machine (M2M) communication where no user is involved — the app authenticates as itself.

// Client Credentials — server-to-server auth
const response = await fetch('https://auth.example.com/token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded',
    'Authorization': `Basic ${btoa(`${CLIENT_ID}:${CLIENT_SECRET}`)}`
  },
  body: new URLSearchParams({
    grant_type: 'client_credentials',
    scope: 'api:read api:write'
  })
});

Use cases: Microservice communication, cron jobs, CI/CD pipelines, backend services calling other APIs.

📱

Implicit & Device Flow

Implicit Flow (Deprecated)

Deprecated in OAuth 2.1: Tokens are returned directly in the URL fragment — vulnerable to token leakage. Use Authorization Code + PKCE instead.

Aspect	Implicit	Auth Code + PKCE
Token delivery	URL fragment (#access_token=...)	Server-side exchange
Refresh tokens	Not supported	Supported
Security	Vulnerable to interception	Protected by PKCE challenge
Status	Deprecated	Recommended

Device Authorization Flow

For devices with limited input (TVs, CLI tools, IoT). User authorizes on a separate device.

1. Device requests device code: POST /device/code → { device_code, user_code: "ABCD-1234", verification_uri } 2. Device displays: "Go to https://auth.example.com/device and enter ABCD-1234" 3. User opens URL on phone/laptop, enters code, logs in, consents 4. Device polls for token: POST /token { grant_type=urn:ietf:params:oauth:grant-type:device_code, device_code=DEVICE_CODE } 5. Once user approves → returns access_token

🎟️

Access & Refresh Tokens

Property	Access Token	Refresh Token
Purpose	Authorize API requests	Get new access tokens
Lifetime	Short (5–60 min)	Long (days–months)
Sent to	Resource Server (API)	Authorization Server only
Format	JWT or opaque string	Usually opaque
Storage	Memory (SPA) or cookie	Secure httpOnly cookie
Revocable	Not easily (until expiry)	Yes, via revocation endpoint

Token Refresh Flow

// Refresh an expired access token
const response = await fetch('https://auth.example.com/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  body: new URLSearchParams({
    grant_type: 'refresh_token',
    refresh_token: storedRefreshToken,
    client_id: 'abc123'
  })
});
// Returns new { access_token, refresh_token (rotated) }

Refresh Token Rotation: Each use of a refresh token returns a new one and invalidates the old. If a stolen token is used, the server detects reuse and revokes the entire family.

📝

JWT (JSON Web Token)

A compact, URL-safe token format for securely transmitting claims between parties. Consists of three Base64URL-encoded parts separated by dots.

JWT Structure

eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.signature ├── Header ──────────┤├── Payload ───────────────────┤├── Signature ──┤ HEADER: PAYLOAD: SIGNATURE: { { RSASHA256( "alg": "RS256", "sub": "user123", base64UrlEncode(header) + "." + "typ": "JWT", "name": "John", base64UrlEncode(payload), "kid": "key-1" "iat": 1716239022, publicKey } "exp": 1716242622 )

Common Signing Algorithms

Algorithm	Type	Key	Use Case
`HS256`	Symmetric (HMAC)	Shared secret	Single service, internal APIs
`RS256`	Asymmetric (RSA)	Public/private key pair	Distributed systems, OIDC providers
`ES256`	Asymmetric (ECDSA)	Elliptic curve keys	Performance-critical, mobile
`EdDSA`	Asymmetric (Ed25519)	Edwards curve keys	Modern high-performance signing

Never use alg: "none": Disabling signature verification is a critical vulnerability. Always validate the alg header against an allowlist.

📋

JWT Claims

Claims are key-value pairs in the JWT payload. They carry information about the user, token, and authorization.

Registered (Standard) Claims

Claim	Full Name	Description	Example
`iss`	Issuer	Who issued this token	`"https://auth.example.com"`
`sub`	Subject	Unique identifier for the user	`"user_abc123"`
`aud`	Audience	Intended recipient(s) of the token	`"https://api.example.com"`
`exp`	Expiration	Epoch time when token expires	`1716242622`
`nbf`	Not Before	Token not valid before this time	`1716239022`
`iat`	Issued At	When the token was created	`1716239022`
`jti`	JWT ID	Unique token identifier (prevents replay)	`"a1b2c3d4"`

Common Custom Claims

{
  "iss": "https://auth.example.com",
  "sub": "user_abc123",
  "aud": "https://api.example.com",
  "exp": 1716242622,
  "iat": 1716239022,
  "scope": "openid profile email",
  "roles": ["admin", "editor"],
  "org_id": "org_xyz",
  "email": "john@example.com",
  "email_verified": true
}

Validation Checklist

Verify signature using the correct key (from JWKS)
Check exp — reject expired tokens
Check nbf — reject tokens used too early
Check iss — must match your expected issuer
Check aud — must include your API's identifier
Check alg — must be in your allowlist (never accept "none")

🔑

JWKS (JSON Web Key Set)

A JWKS is a JSON document containing the public keys used to verify JWT signatures. Published at a well-known URL by the authorization server.

JWKS Endpoint

// Typically at: https://auth.example.com/.well-known/jwks.json
{
  "keys": [
    {
      "kty": "RSA",            // Key type
      "kid": "key-2024-01",     // Key ID — matches JWT header 'kid'
      "use": "sig",             // Usage: signing
      "alg": "RS256",           // Algorithm
      "n":   "0vx7agoebGc...",  // RSA modulus (Base64URL)
      "e":   "AQAB"             // RSA exponent
    }
  ]
}

How JWT + JWKS Verification Works

1. Client sends JWT to Resource Server 2. Server reads JWT header → extracts "kid" (key ID) 3. Server fetches JWKS from auth server (cached) 4. Server finds the matching key by "kid" 5. Server verifies JWT signature using the public key 6. If valid → process the claims

Key Rotation

Auth servers rotate keys periodically for security
JWKS always contains the current + recent keys
The kid in the JWT header identifies which key was used
Resource servers should cache JWKS with a TTL (e.g. 1 hour) and re-fetch on kid cache miss
Never hardcode public keys — always fetch from JWKS endpoint

🪪

OpenID Connect (OIDC)

OIDC is an identity layer on top of OAuth 2.0. While OAuth handles authorization, OIDC adds standardized authentication — telling your app who the user is.

What OIDC Adds to OAuth 2.0

Feature	OAuth 2.0	OIDC (OAuth 2.0 + Identity)
Purpose	Authorization (access to resources)	Authentication (user identity)
ID Token	Not defined	JWT with user claims
UserInfo endpoint	Not standardized	`/userinfo`
Discovery	Not standardized	`/.well-known/openid-configuration`
Standard scopes	App-defined	`openid`, `profile`, `email`, `address`, `phone`

ID Token Claims

// ID token payload (returned when scope includes "openid")
{
  "iss": "https://auth.example.com",
  "sub": "user_abc123",
  "aud": "client_abc123",      // Your app's client_id
  "exp": 1716242622,
  "iat": 1716239022,
  "nonce": "n-0S6_WzA2Mj",    // Prevents replay attacks
  "auth_time": 1716239020,     // When user actually authenticated
  "name": "John Doe",
  "email": "john@example.com",
  "email_verified": true,
  "picture": "https://example.com/john.jpg"
}

Discovery Document

Every OIDC provider publishes a discovery document at /.well-known/openid-configuration:

{
  "issuer": "https://auth.example.com",
  "authorization_endpoint": "https://auth.example.com/authorize",
  "token_endpoint": "https://auth.example.com/token",
  "userinfo_endpoint": "https://auth.example.com/userinfo",
  "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
  "scopes_supported": ["openid", "profile", "email"],
  "response_types_supported": ["code"],
  "id_token_signing_alg_values_supported": ["RS256"]
}

🎯

Scopes & Consent

Scopes define what access the client is requesting. The user sees a consent screen listing these permissions.

Standard OIDC Scopes

Scope	Claims Returned
`openid`	`sub` (required for OIDC — triggers ID token)
`profile`	`name`, `family_name`, `given_name`, `picture`, `locale`
`email`	`email`, `email_verified`
`address`	`address` (structured JSON)
`phone`	`phone_number`, `phone_number_verified`
`offline_access`	Grants a refresh token

Custom API Scopes

// Common patterns for API scopes
"scope": "read:users write:users delete:users"    // Resource-based
"scope": "api.read api.write api.admin"            // Namespace-based
"scope": "repos:read gists:write orgs:admin"       // GitHub-style

🔍

Token Introspection & Revocation

Token Introspection (RFC 7662)

Allows resource servers to check if an opaque token is valid and get its metadata.

// POST to introspection endpoint
POST /introspect
Authorization: Basic base64(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded

token=ACCESS_TOKEN&token_type_hint=access_token

// Response
{
  "active": true,
  "sub": "user_abc123",
  "client_id": "my_app",
  "scope": "read write",
  "exp": 1716242622,
  "token_type": "Bearer"
}

Token Revocation (RFC 7009)

// Revoke a token (usually refresh token on logout)
POST /revoke
Authorization: Basic base64(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded

token=REFRESH_TOKEN&token_type_hint=refresh_token

// Returns 200 OK (always, even if token was already invalid)

JWT vs Opaque: JWTs can be verified locally (no network call). Opaque tokens require introspection. JWTs are harder to revoke — you need a token blocklist or short expiry + refresh tokens.

🛡️

Security Best Practices

Token Storage (Frontend)

Storage	XSS Risk	CSRF Risk	Recommendation
`localStorage`	Vulnerable	Safe	Avoid for sensitive tokens
`sessionStorage`	Vulnerable	Safe	OK for short-lived tokens
`httpOnly cookie`	Safe	Vulnerable	Best — add CSRF protection
In-memory variable	Safe	Safe	Best for SPAs (lost on refresh)

Checklist

Always use HTTPS — tokens in transit must be encrypted
Use PKCE for all public clients (SPAs, mobile, CLI)
Validate state parameter to prevent CSRF
Use nonce in OIDC to prevent replay attacks
Set short access token expiry (5–15 min)
Implement refresh token rotation
Use exact redirect URI matching (no wildcards)
Store secrets server-side only — never in frontend code
Validate iss, aud, exp on every JWT
Use an allowlist for alg — reject "none"
Implement token revocation on logout

Common Vulnerabilities

Attack	Description	Prevention
CSRF	Attacker tricks user into authorizing a malicious request	`state` parameter
Token Leakage	Token exposed in URL, logs, or referrer header	Use auth code flow, not implicit
Code Interception	Auth code stolen in transit (mobile deep links)	PKCE
Replay Attack	Stolen token reused	`nonce`, `jti`, short expiry
alg:none	Forged JWT with disabled signature	Validate alg against allowlist
SSRF via redirect_uri	Redirect to attacker-controlled URL	Exact URI matching, pre-registered URIs

⚖️

Protocol & Flow Comparison

When to Use Which Flow

Scenario	Recommended Flow	Why
Server-side web app	Authorization Code	Client secret stored securely on server
SPA (React, Vue, etc.)	Auth Code + PKCE	No client secret; PKCE protects the flow
Mobile app	Auth Code + PKCE	Same as SPA; use custom URL scheme for redirect
CLI / device	Device Authorization	No browser; user authorizes on separate device
Server-to-server (M2M)	Client Credentials	No user involved; app authenticates as itself
Need user identity	OIDC (any flow + `openid` scope)	Returns ID token with user claims

OAuth 2.0 vs OAuth 2.1

Change	OAuth 2.0	OAuth 2.1 (Draft)
PKCE	Optional	Required for all clients
Implicit flow	Allowed	Removed
Password grant	Allowed	Removed
Redirect URI	Loose matching	Exact string matching required
Refresh tokens	No rotation required	Rotation recommended