Security
OAuth2
Let an app act on your behalf — with a scoped, expiring, revocable token instead of your password.
A third-party app wants your data — don't hand it your password
"Let this app read your Google contacts." The naive fix: give the app your Google password. It works... catastrophically.
OAuth2: delegated authorization
Four roles. The app never sees your password — it gets a scoped, expiring token instead.
1. Client → redirect(AuthServer)
2. You → consent to scope
read:contacts
3. AuthServer → Client: code
4. Client → AuthServer:
exchange code + PKCE
5. AuthServer → Client:
access_token + refresh_token
6. Client → API: call w/ token
This is the Authorization Code flow (+ PKCE) — the standard for apps. OIDC layers an ID token on top when the goal is login, not just data access.
Walk the flow — then watch a token expire and refresh
Click through: redirect → consent → code → token → API call. Then the token expires, gets refused, and a refresh token mints a new one.
Follow the numbered messages top-to-bottom — your password never leaves you (steps 2–3); the app only gets a scoped token. Steps 9–13 show it expiring, then refreshing.
Delegate access, don't share secrets
- Never type your password into a third-party app.
- Tokens are scoped (just what's needed), expiring, and revocable — independent of your account password.
- Use the Authorization Code flow + PKCE for apps — not the old implicit flow.
- Need to know who the user is (login)? That's OIDC, built on top of OAuth2.
- Keep tokens safe: short-lived access tokens in memory, refresh tokens stored securely.