Skip to main content
Souman Paul

OAuth 2.0 in Practice: Flows, Tokens, and the Parts That Matter

Souman Paul
ยท
3 min read
SecurityOAuth 2.0AuthFrontend
OAuth 2.0 in Practice: Flows, Tokens, and the Parts That Matter
Table of Contents

OAuth 2.0 is often introduced as a specification full of actors, grants, redirects, and tokens. In practice, what matters is much simpler: it is a delegated authorization model that lets one application access another system on behalf of a user without sharing the user's password.

The core problem OAuth 2.0 solves

If every third-party app asked for a user's primary login credentials, the blast radius of a compromise would be enormous. OAuth 2.0 replaces that with a permission grant mediated by an authorization server and represented through scoped tokens.

The main actors

  • Resource Owner: usually the user.
  • Client Application: the app requesting access.
  • Authorization Server: the system that authenticates the user and issues tokens.
  • Resource Server: the API that accepts those tokens.

The flow most frontend teams should know

For modern web apps and mobile apps, the most important flow is Authorization Code with PKCE. The user signs in through the authorization server, the app receives an authorization code, and that code is exchanged for tokens in a secure way that protects against interception and replay.

1. User clicks Sign in
2. App redirects to authorization server
3. User authenticates and approves scopes
4. Authorization server redirects back with code
5. App exchanges code + PKCE verifier for tokens
6. API calls use the access token

Access token vs refresh token

The access token is short-lived and is what your app sends to APIs. The refresh token is longer-lived and is used to obtain a new access token without forcing the user to sign in again. Treat refresh tokens as highly sensitive credentials and avoid exposing them directly to insecure frontend storage patterns.

Common mistakes teams make

  • Confusing authentication with authorization.
  • Storing long-lived tokens in unsafe places.
  • Using scopes that are broader than the app really needs.
  • Skipping PKCE for public clients.
  • Trusting token contents without validating issuer, audience, expiry, and signature rules.

What frontend engineers should care about

From the frontend perspective, the real job is redirect handling, session continuity, token lifetime awareness, and minimizing security footguns. That usually means relying on a trusted auth library or identity provider SDK instead of hand-rolling the protocol details.

Security checklist

  • Prefer authorization code flow with PKCE for browser and mobile apps.
  • Keep access tokens short-lived.
  • Use least-privilege scopes.
  • Validate redirect URIs strictly.
  • Separate app session handling from raw OAuth token handling where possible.

Final takeaway

OAuth 2.0 becomes much less intimidating when you focus on the actual outcome: safe delegation. For product teams, the useful question is not whether you can explain every clause of the spec, but whether your implementation protects tokens, uses the right flow, and keeps privilege boundaries tight.