OAuth 2.0 Flows

The cast

• Resource owner — the user.
• Client — the application requesting access.
• Authorization server — issues tokens.
• Resource server — accepts tokens, serves the API.

Authorization Code + PKCE

Use for: all browser, mobile, and native apps acting on behalf of a user. The default for almost every modern integration.

1. Client redirects user to authorization server with a random code_challenge.
2. User authenticates and consents.
3. Authorization server redirects back with an authorization code.
4. Client exchanges the code plus the original code_verifier for tokens.

PKCE (Proof Key for Code Exchange, RFC 7636) closes a class of code-interception attacks. It's mandatory for public clients and recommended for confidential clients too.

Client Credentials

Use for: machine-to-machine. The client authenticates with its own credentials and gets a token tied to itself, not a user.

POST /oauth/token
grant_type=client_credentials&client_id=...&client_secret=...&scope=invoices.read

Device Code

Use for: input-constrained devices — TVs, CLI tools, IoT. The device shows a code; the user opens a separate browser to enter it; the device polls until the user finishes.

Implicit (deprecated)

Returns tokens directly in the URL fragment. Originally used for SPAs but exposes tokens to browser history, referrer leaks, and XSS. Replaced by Authorization Code + PKCE. Do not use for new applications.

Resource Owner Password Credentials (deprecated)

The client collects the user's password and exchanges it for tokens. Defeats the whole point of OAuth (the user must trust the client with their password). Reserved for legacy migrations.