How OAuth 2.0 authorization flow works

· Category: API & REST

Short answer

OAuth 2.0 is a delegation framework that allows third-party applications to obtain limited access to user accounts without exposing passwords.

Steps

  1. The client redirects the user to the authorization server with a client ID and requested scope.
  2. The user authenticates and grants permission.
  3. The authorization server returns an authorization code to the client via redirect.
  4. The client exchanges the code for an access token using its client secret.
  5. The client uses the access token to call protected APIs on behalf of the user.

Tips

  • Always use PKCE with the authorization code flow for public clients.
  • Prefer client credentials for machine-to-machine authentication.
  • Avoid the implicit flow due to token exposure in redirect URLs.
  • Store refresh tokens securely and rotate them on each use.

Common issues

  • Leaked client secrets compromising token issuance.
  • Misconfigured redirect URIs enabling authorization code interception.
  • Overly broad scopes increasing blast radius if tokens are stolen.
  • Token expiration causing user-facing errors without smooth refresh handling.

Example

GET /api/protected HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

This request demonstrates how to include a bearer token in the Authorization header to access a protected API endpoint securely.