OAuth2

19/9/2025
OAuth is an authentication method that allows applications to share resources with each other without sharing username and password information. The word Auth here has two meanings:​ Authentication: authenticate users through login.​ Authorization: grant access to Resources.

Agents (objects) in OAuth2

  • Resource Owner: The end-user who owns the data/resources. Example: You are the Resource Owner of the email data in your Google account.

  • Client: A third-party application that requests access to the data on behalf of the Resource Owner. This can be a web app, mobile app, or backend server. The Client must obtain an authorization grant from the Resource Owner.

  • Authorization Server: The system responsible for authenticating the Resource Owner and issuing an access token to the Client. Example: Google Authorization Server when you click “Login with Google”.

  • Resource Server: The server that stores and protects the requested data/resources. It only allows access if the Client provides valid access token. Example: Gmail API, Google Calendar API.

    Abadff5f 6944 48f1 9102 27ca4959b5ab

Authorization Grant

  • Authorization Code: Used with server-side applications.

  • Implicit: Used with mobile applications (running on the user’s device) or web applications (also known as browser-based apps, e.g., Chrome Extension).

  • Resource Owner Password Credentials: Used with trusted applications, such as first-party apps developed by the same service provider.

  • Client Credentials: Used with applications that access resources directly via API.

Compare
20f76c83 7aea 4cdf A7fa Ba700da96e3d

Conclusion

OAuth is not only a widely adopted security standard but also the foundation that enables modern applications to communicate with each other securely. In the two flows being compared:

  • Authorization Code Flow (especially when combined with PKCE) is suitable for both server-side and mobile applications due to its high level of security and protection against access token leakage.

  • Implicit Flow was originally designed for browser-based web applications, but today it is increasingly discouraged because of its higher security risks.

In summary, Authorization Code Flow with PKCE is now considered the best practice to replace Implicit Flow. The choice of flow depends on the type of application, but the ultimate goal is always to balance user experience and security.

Would you like me to explain how PKCE (Proof Key for Code Exchange) specifically enhances the security of the Authorization Code Flow?

Dropdown icon

Blog liên quan

Dropdown icon
Contact Us