Authorization code flow
Client → Provider (redirect). User consents. Provider → Client (code). Client exchanges code + client_secret → access token.
Advertisement
PKCE
Proof Key for Code Exchange. Client generates random verifier, sends hash upfront. Prevents code interception on mobile.
Advertisement
Tokens
Access token (bearer, short-lived). Refresh token (long-lived, replaces access). ID token (OIDC, JWT with user info).
Common mistakes
Implicit flow (deprecated). Storing tokens in localStorage. Missing state parameter → CSRF.