Please enable JavaScript.
Coggle requires JavaScript to display documents.
OAuth 2.0 - Coggle Diagram
OAuth 2.0
Authorization Code Grant
(Most Secure)
Used for server-side web apps
Most secure flow
Exchanges an authorization code for an access token
Requires client secret
Redirect URI
Pictorial Representation
Step 1: User requests authorization
Step 2: Authorization server redirects with authorization code
Step 3: Client exchanges code for access token
Step 4: Client accesses resource with access token
Example Use Case
Use Case: Logging into a third-party website using Google login
The OAuth 2.0 authorization code grant type, or auth code flow, enables a client application to obtain authorized access to protected resources like web APIs. The auth code flow requires a user-agent that supports redirection from the authorization server (the Microsoft identity platform) back to your application.
Key Features
Authorization
Authentication
Access Tokens
Refresh Tokens
Scopes
Client Roles
Implicit Grant
Used for single-page apps and mobile apps
Less secure, no client secret required
Directly obtains access token
Tokens exposed to the user and user agent
Pictorial Representation
Step 1: User requests authorization
Step 2: Authorization server redirects with access token
Step 3: Client accesses resource with access token
Example Use Case
Use Case: Single-page application accessing API directly
Client Credentials Grant
Used for machine-to-machine authentication
No user context
Directly obtains access token
Requires client secret
Pictorial Representation
Step 1: Client requests token from authorization server
Step 2: Authorization server provides access token
Step 3: Client accesses resource with access token
Example Use Case
Use Case: Backend service accessing another service
Resource Owner Password Credentials Grant (Legacy)
Used for trusted apps
Requires user credentials
Directly obtains access token
Should be used with caution due to exposure of credentials
Pictorial Representation
Step 1: User provides credentials to the client
Step 2: Client exchanges credentials for access token
Step 3: Client accesses resource with access token
Example Use Case
Use Case: Trusted mobile app accessing user account information
OIDC Flow
Key Features
Extends OAuth 2.0
Adds ID Token for authentication
Provides user profile information
Supports multiple response types
Nonce for replay protection
Pictorial Representation
Step 1: User requests authorization
Step 2: Authorization server redirects with authorization code
Step 3: Client exchanges code for ID token and access token
Step 4: Client verifies ID token
Step 5: Client accesses resource with access token
Example Use Case
Use Case: Single Sign-On (SSO) with OpenID Connect