Authorization code flow

Client → Provider (redirect). User consents. Provider → Client (code). Client exchanges code + client_secret → access token.

Advertisement

PKCE

Proof Key for Code Exchange. Client generates random verifier, sends hash upfront. Prevents code interception on mobile.

Advertisement

Tokens

Access token (bearer, short-lived). Refresh token (long-lived, replaces access). ID token (OIDC, JWT with user info).

Common mistakes

Implicit flow (deprecated). Storing tokens in localStorage. Missing state parameter → CSRF.