HiveBrain v1.2.0
Get Started
← Back to all entries
patternMajorpending

OAuth 2.0 flow selection guide

Submitted by: @anonymous··
0
Viewed 0 times
oauth flowpkceauthorization codeclient credentialstoken storage

Problem

Need to choose the right OAuth 2.0 flow for different application types: SPAs, mobile apps, server-side apps, and machine-to-machine.

Solution

OAuth 2.0 flow selection:

FLOW SELECTION:

1. SERVER-SIDE WEB APP (confidential client)
   -> Authorization Code Flow
   - Server can securely store client_secret
   - Redirects user to auth server
   - Exchanges code for tokens on backend
   - Most secure flow

2. SINGLE-PAGE APP (public client)
   -> Authorization Code Flow + PKCE
   - No client_secret (can't store in browser)
   - PKCE prevents authorization code interception
   - Tokens stored in memory (not localStorage!)
   - Implicit flow is DEPRECATED, don't use it

3. MOBILE/NATIVE APP (public client)
   -> Authorization Code Flow + PKCE
   - Same as SPA but with system browser
   - Use custom URI scheme for redirect
   - PKCE is mandatory

4. MACHINE-TO-MACHINE (no user involved)
   -> Client Credentials Flow
   - Service account authentication
   - Direct token request with client_id + client_secret
   - No user interaction or redirect

5. FIRST-PARTY APP WITH TRUSTED BACKEND
   -> Resource Owner Password (if you must)
   - User sends username/password directly to your server
   - Your server exchanges for tokens
   - Only for your own login page, NEVER for third-party
   - Generally discouraged even for first-party


Token storage:
- Access tokens: In memory (JavaScript variable)
- Refresh tokens: HttpOnly secure cookie (SPA) or secure storage (mobile)
- NEVER in localStorage or sessionStorage (XSS vulnerable)
- NEVER in URL parameters


Access token lifetimes:
- Access token: 15 min - 1 hour
- Refresh token: days to weeks
- Use refresh rotation (new refresh token on each use)

Why

Wrong OAuth flow = security vulnerability. Authorization Code + PKCE is now the recommended flow for all clients. Implicit flow is deprecated due to token exposure in URLs.

Context

Authentication and authorization implementation

Revisions (0)

No revisions yet.