design·lab

Security

OAuth2

Let an app act on your behalf — with a scoped, expiring, revocable token instead of your password.

✗ Problem

A third-party app wants your data — don't hand it your password

"Let this app read your Google contacts." The naive fix: give the app your Google password. It works... catastrophically.

📱 Third-party app
"Enter your password"
🔑 Your password
the master key
📧 Your whole account
email, drive, contacts…
The app now has full access, forever — no scoping to just "contacts", no expiry, and no way to revoke it without changing your password (breaking every other app that used it too).
✓ How it works

OAuth2: delegated authorization

Four roles. The app never sees your password — it gets a scoped, expiring token instead.

1. Client → redirect(AuthServer)
2. You → consent to scope
   read:contacts
3. AuthServer → Client: code
4. Client → AuthServer:
   exchange code + PKCE
5. AuthServer → Client:
   access_token + refresh_token
6. Client → API: call w/ token
🧑 Resource Owner
you
🔐 Authorization Server
issues tokens
📱 Client
the app
🗄️ Resource Server
the API

This is the Authorization Code flow (+ PKCE) — the standard for apps. OIDC layers an ID token on top when the goal is login, not just data access.

✓ See it live

Walk the flow — then watch a token expire and refresh

Click through: redirect → consent → code → token → API call. Then the token expires, gets refused, and a refresh token mints a new one.

Follow the numbered messages top-to-bottom — your password never leaves you (steps 2–3); the app only gets a scoped token. Steps 9–13 show it expiring, then refreshing.

✓ Takeaway

Delegate access, don't share secrets

  • Never type your password into a third-party app.
  • Tokens are scoped (just what's needed), expiring, and revocable — independent of your account password.
  • Use the Authorization Code flow + PKCE for apps — not the old implicit flow.
  • Need to know who the user is (login)? That's OIDC, built on top of OAuth2.
  • Keep tokens safe: short-lived access tokens in memory, refresh tokens stored securely.
🎯 Relates: tokens are capability keys (see signed URLs); underpins modern login; least-privilege scopes echo Interface Segregation.