https://udemy.com/course/oauth-2-simplified

bad: implicit flow → everything passes through url bar (aka front channel) through ‘front channel’ aka address bar good: back channel (aka HTTPS between browser & server → AJAX js call)

client id client secret (aka client password)

flow

  1. app builds url to redirect user to the auth server
    1. scope
    2. redirect uri
    3. client id
  2. login & approve & redirect back
    1. authorization code
      1. one-time-use
      2. short expiration date
      3. only usable once
  3. app contacts auth server
    1. authorization code
    2. client secret

alternative to “authorization code” flow (when no client secret - aka public client) PKCE - Proof Key Code Exchange

  • unique secret for each request

  • used at start of flow

  • used when redeeming authorization code

redirect uri → fixed https://… because otherwise impersonation

Section 4) OAuth for Server-Side applications (oauth2 secure backend flow)