Course: The Nuts and Bolts of OAuth 2.0
April 9th, 2022
https://udemy.com/course/oauth-2-simplified
bad: implicit flow → everything passes through url bar (aka front channel) through 'front channel' aka address bar
good: back channel (aka HTTPS between browser & server → AJAX js call)
client id
client secret (aka client password)
flow
app builds url to redirect user to the auth server
scope
redirect uri
client id
login & approve & redirect back
authorization code
one-time-use
short expiration date
only usable once
app contacts auth server
authorization code
client secret
alternative to "authorization code" flow (when no client secret - aka public client)
PKCE - Proof Key Code Exchange
unique secret for each request
used at start of flow
used when redeeming authorization code
redirect uri → fixed https://... because otherwise impersonation
Section 4) OAuth for Server-Side applications
This post was referenced in: