patternMajorpending
OAuth 2.0 flow selection guide
Viewed 0 times
oauth flowpkceauthorization codeclient credentialstoken storage
Problem
Need to choose the right OAuth 2.0 flow for different application types: SPAs, mobile apps, server-side apps, and machine-to-machine.
Solution
OAuth 2.0 flow selection:
Token storage:
Access token lifetimes:
FLOW SELECTION:
1. SERVER-SIDE WEB APP (confidential client)
-> Authorization Code Flow
- Server can securely store client_secret
- Redirects user to auth server
- Exchanges code for tokens on backend
- Most secure flow
2. SINGLE-PAGE APP (public client)
-> Authorization Code Flow + PKCE
- No client_secret (can't store in browser)
- PKCE prevents authorization code interception
- Tokens stored in memory (not localStorage!)
- Implicit flow is DEPRECATED, don't use it
3. MOBILE/NATIVE APP (public client)
-> Authorization Code Flow + PKCE
- Same as SPA but with system browser
- Use custom URI scheme for redirect
- PKCE is mandatory
4. MACHINE-TO-MACHINE (no user involved)
-> Client Credentials Flow
- Service account authentication
- Direct token request with client_id + client_secret
- No user interaction or redirect
5. FIRST-PARTY APP WITH TRUSTED BACKEND
-> Resource Owner Password (if you must)
- User sends username/password directly to your server
- Your server exchanges for tokens
- Only for your own login page, NEVER for third-party
- Generally discouraged even for first-partyToken storage:
- Access tokens: In memory (JavaScript variable)
- Refresh tokens: HttpOnly secure cookie (SPA) or secure storage (mobile)
- NEVER in localStorage or sessionStorage (XSS vulnerable)
- NEVER in URL parametersAccess token lifetimes:
- Access token: 15 min - 1 hour
- Refresh token: days to weeks
- Use refresh rotation (new refresh token on each use)Why
Wrong OAuth flow = security vulnerability. Authorization Code + PKCE is now the recommended flow for all clients. Implicit flow is deprecated due to token exposure in URLs.
Context
Authentication and authorization implementation
Revisions (0)
No revisions yet.