The Infinity Logo
The Infinity
Security & Authentication Series

OAuth 2.0 Authorization

Visualize Authorization Code, PKCE, and Client Credentials flows. Understand how modern apps delegate authentication securely.

This interactive OAuth 2.0 simulator visualizes different authorization flows including Authorization Code, PKCE, Implicit, and Client Credentials. Watch step-by-step interactions between User, Client App, Authorization Server, and Resource Server. Learn OAuth security best practices for web and mobile apps.

Most secure flow for server-side apps. Uses a code exchanged for tokens.

Use Case: Web applications with a backend

User
Client App
Auth Server
Resource Server
1
Click "Login with Provider"

User initiates login

Speed:

Flow Steps

Visual Guide

  • User: The resource owner initiating authentication
  • Client App: Your application requesting access
  • Auth Server: Issues tokens after authentication
  • Resource Server: API that validates tokens

How to use

1. Select an OAuth flow using the buttons above.
2. Press Play to watch the animated flow step by step.
3. Adjust Speed to slow down or speed up the animation.
4. Click any step in the timeline to jump directly to it.

OAuth 2.0 Flow Comparison

FlowClient TypeTokensSecurity
Authorization CodeServer-side appsAccess + Refresh★★★★★
Code + PKCESPAs, MobileAccess + Refresh★★★★★
Implicit ⚠️Legacy SPAsAccess only★★☆☆☆
Client CredentialsMachine-to-machineAccess only★★★★☆

Quick Guide: OAuth 2.0 Flows

Understanding the basics in 30 seconds

How It Works

  • Client redirects user to Authorization Server
  • User authenticates and grants permissions
  • Auth Server returns authorization code
  • Client exchanges code for access token
  • Client uses token to access protected resources

Key Benefits

  • Delegated authorization - no password sharing
  • Scoped access - limit what apps can do
  • Token-based - revocable and time-limited
  • Standardized - works across providers
  • Separation of concerns - identity vs app

Real-World Uses

  • Login with Google/GitHub/Facebook
  • Third-party app integrations
  • API access for mobile apps
  • Microservices authentication
  • Enterprise SSO solutions

Understanding OAuth 2.0

The industry-standard protocol for secure authorization in modern applications.

What is OAuth 2.0?

OAuth 2.0 is an authorization framework that enables third-party applications to obtain limited access to user accounts without exposing passwords.

  • Delegates authentication to identity providers
  • Issues scoped access tokens
  • Supports multiple grant types for different use cases

Key Components

  • Resource Owner: The user who owns the data
  • Client: Application requesting access
  • Authorization Server: Issues tokens (e.g., Keycloak, Auth0)
  • Resource Server: API hosting protected data

OAuth 2.0 vs OpenID Connect

OAuth 2.0

  • Authorization only
  • Access tokens for API access
  • No standard for user identity

OpenID Connect (OIDC)

  • Built on top of OAuth 2.0
  • Adds authentication layer
  • ID tokens for user identity (JWT)

Best Practices

✓ Do

  • Use PKCE for public clients
  • Validate state parameter
  • Use short-lived access tokens
  • Store tokens securely

✗ Don't

  • Use Implicit flow for new apps
  • Store tokens in localStorage (XSS risk)
  • Expose client secrets in frontend
  • Skip token validation

→ Recommended

  • Authorization Code + PKCE
  • HttpOnly cookies for tokens
  • Backend-for-Frontend pattern
  • Regular token rotation

OAuth 2.0 Implementation Guide

Choosing the Right Flow

  • Web Apps with Backend: Authorization Code Flow
  • SPAs & Mobile Apps: Authorization Code + PKCE
  • Machine-to-Machine: Client Credentials Flow
  • Legacy SPAs: Implicit Flow (deprecated)

PKCE Explained

Proof Key for Code Exchange prevents authorization code interception attacks. Essential for public clients that cannot securely store a client secret.

// 1. Generate code_verifier (43-128 chars)
const verifier = generateRandomString(64);

// 2. Create code_challenge
const challenge = base64url(sha256(verifier));

// 3. Authorization request includes challenge
/authorize?code_challenge=xxx&code_challenge_method=S256

// 4. Token request includes verifier
POST /token { code_verifier: verifier }

Token Types

Access Token

  • Short-lived (minutes to hours)
  • Used to access APIs
  • Often a JWT
  • Sent in Authorization header

Refresh Token

  • Long-lived (days to weeks)
  • Used to get new access tokens
  • Stored securely (HttpOnly cookie)
  • Rotated on each use

Explore More Simulators(6 simulators)

JWT Token Simulator
#Security#Authentication
Popular
⭐ New
#JWT#API

JWT Token Simulator

Create, decode, and validate JSON Web Tokens. Understand header, payload, signature, and HMAC signing.

Labs
Authentication & Authorization
#Security#RBAC
Popular
⭐ New
#MFA#IAM

Authentication & Authorization

Understand AuthN vs AuthZ. Interactive RBAC matrix, MFA simulation, and session management.

Labs
Load Balancer Simulator
#DevOps#Infrastructure
Popular
⭐ New
#Algorithms

Load Balancer Simulator

Master the art of traffic distribution. Experiment with Round Robin, Least Connections, and weighted algorithms to optimize server performance.

Labs
Sharding & Consistent Hashing
#System Design#Database
Popular
⭐ New
#Scaling

Sharding & Consistent Hashing

Visualize data partitioning across distributed nodes. Understand how Consistent Hashing minimizes data movement when scaling.

Labs
CAP Theorem Simulator
#Distributed Systems#CAP Theorem
Popular
⭐ New
#System Design

CAP Theorem Simulator

Consistency vs. Availability. Visualize why distributed systems cannot guarantee both during network partitions.

Labs
CDN & Edge Caching
#Networking#Caching
Popular
⭐ New
#Performance

CDN & Edge Caching

Visualize how Content Delivery Networks reduce latency. Experiment with Cache Hits, Misses, and TTL eviction strategies.

Labs

The Infinity

Weekly tech insights, programming tutorials, and the latest in software development. Join our community of developers and tech enthusiasts.

Quick Links

Connect With Us

Daily.dev

Follow us for the latest tech insights and updates

© 2026 The Infinity. All rights reserved.