Oauth2 Deep Dive

There are quite a few Oauth2 intro blog posts out there. While they serve as great resources for getting a high level background, they (purposely) miss the depth that serious Oauth2 learners may be looking for. On the other hand, Oauth2’s formal RFC specs are freely out there. But people tend to get inpatient with 100+ pages long reading. So I want to provide a middle ground here. In this blog post, I’ll go through every bit of detail of the code flow in Oauth2, step by step, field by field, and especially the rationale behind their designs. There are other alternative flows, such as implicit flow and client credential flow, which after you understand the code flow you’ll see they are just compromises we decided to make given the operating environments. Without further ado, Let’s get started.

Oauth2 In a Nutshell

First and foremost, even though I assume readers typically look for deep dive after they have some general background about the whole concept, to save you from trouble going out in search of that information, I’ll provide a few sentences of high level summary. Oauth2 is a framework for users to delegate account access to third party apps. There are 3 keywords here:

1. Third party: it’s mostly useful for third party apps. If the apps are first party, you should just ask the users to sign in on the apps. Third party here could mean a different organization, or a different part inside the same organization. The essence is that the apps are considered “external” to the user account system and therefore they can’t be trusted…