Dev/Oauth

toc secure flow original without PKCE secure flow with PKCE detailed flow examples (with PKCE) secure flow original without PKCE state param prevents CSRF 1) [front-channel] browser -> my-app GET [my-app.com/login](http://my-app.com/login) **- generate random value: state** < redirect to [auth-server.com/auth](http://auth-server.com/auth) (response_type, client_id, redirect_uri, scope, **state**) 2) [front-channel] browser -> auth-server GET [auth-server.com/auth](http://auth-server.com/auth) (response_type=code, client_id, redirect_uri, scope, **state**) < redirect to [my-app.com/redirect](http://my-app.com/redirect) (code, state) 3) [front-channel] browser -> my-app/redirect GET [my-app.com/redirect](http://my-app.com/redirect) (code, **state**) **- verifies state** 4) [back-channel] my-app -> auth-server POST [auth-server....

https://udemy.com/course/oauth-2-simplified bad: implicit flow → everything passes through url bar (aka front channel) through ‘front channel’ aka address bar good: back channel (aka HTTPS between browser & server → AJAX js call) client id client secret (aka client password) flow app builds url to redirect user to the auth server scope redirect uri client id login & approve & redirect back authorization code one-time-use short expiration date only usable once app contacts auth server authorization code client secret alternative to “authorization code” flow (when no client secret - aka public client) PKCE - Proof Key Code Exchange...