OAuth 2.0 Cheat Sheet: What is OAuth 2? – Actors, EndPoints, Grant Types, OAuth Flows

Suppose you want to use a great new third party application for Emails that has many awesome features you want. However, this new email application will need access to your Gmail emails in order to work.

Would you give you Gmail password to this third-party application? No.

So, how can this third-party app access our Gmail emails without getting your password?

OAuth 2.0 is one way.

Instead of providing your credentials to this third-party app, you will be redirected to Google OAuth Server. This OAuth Server will accept your Gmail credentials and provide a temporary Access Token to the Third-party app.

Now the third-party app can use this Access Token and access only your Gmail emails. The app cannot use this token to access any other data like your Google Drive. Also this Access Token has a validity after which the token will expire and will have to be re-generated.

Part 1: OAuth Actors
Part 2: OAuth EndPoints
Part 3: OAuth Grant Types
Part 4: OAuth Flows – Authorization Code Flow

Part 1: OAuth Actors

Resource Owner1. owns resources – like email
2. owns login credentials
3. delegates access to Third-party application
(Third-party application)
1. wants to get access to resources to provide some functionality
2. holds access tokens
3. ideally should not hold password of resource owner
4. identified via ClientI D and Client Secret
OAuth Servers1. Login Page component
2. LDAP Server to validate user password
3. Consent Page component
4. Token Database component
5. Exposes 2 enpoints

Part 2: OAuth EndPoints

ProviderHTTP HeaderHTTP MethodEndPointInputs
OAuth ServernoneGET/authorizestate  = used to correlate which response maps to which /auth request – can contain any random string (optional)

scope = defines type of resources requested by client application (mandatory)

response_type =  code (for Authorization Code Grant) | token (for Implicit Grant) (mandatory)

client_id = identification of client (mandatory)

redirect_uri = redirect endpoint to which result of /authorize is sent to  using query parameters (mandatory)
ClientGET/redirectstate = receives  state provided to the /authorize endpoint

scope  = receives  scope provided to the /authorize endpoint

code  = receives  code generated from the /authorize endpoint
OAuth ServerAuthorization: Basic {clientID: clientSecret}POST/tokengrant_type  = authorization_code = Authorization Code Grant
password = Resource Owner Password Credentials Grant
client_credentials = Client Credentials Grant”

client_id  = identification of client

client_secret  = only for Client Credentials Grant

username  = only for Resource Owner Password Credentials Grant

password  = only for Resource Owner Password Credentials Grant

code  = only for Authorization Code Grant
value of authorization code recieved from /authorize

redirect_uri = only for Authorization Code Grant
value of the redirect_uri parameter passed to /authorize
OAuth Server/verifyonly internally accessible by Resource Server.
checks if Access Token is valid or not
Resource ServerAuthorization: Bearer {AccessToken}/api

Part 3: OAuth Grant Types

Grant TypeEndPointInputReturnWhen to Use
Authorization Code Grant/authorizeresponse_type=code
Authorization Code
Use when the Client is a web app executing on the server
Authorization Code Grant/tokengrant_type=authorization_code
Access Token + Refresh Token
Use when the Client is a web app executing on the server
Implicit Grant/authorizeresponse_type=token
Access Token
Use when the Client is a Single-Page App running in a browser using a scripting language like JavaScript
Client Credentials Grant/tokengrant_type=client_credentials
Access Token + Refresh Token
Use when the Client is also the Resource Owner. machine-to-machine authorization
Resource Owner Password Credentials Grant/tokengrant_type=password
Access Token + Refresh Token
Use when the Client absolutely trusted with user credentials. If redirect-based flows are not possible.
Authorization Code Flow with Proof Key for Code Exchange (PKCE)

Part 4: OAuth Authorization Code Flow

Resource OwnerClientRequest InformationOAuth ServerResource Server
(1) Hit Login link with Client

(2) Send Auth request to OAuth Server

GET /authorize


Host: oauth.server.com

(3) Matches client_id and redirect_uri of registered client
(6) Gets Login Page from OAuth Server(5) Redirect

Login Page


(4) Send Redirect to Login Page

(7) Enter Login Credentials. Send directly to OAuth Server

Filled Login Page

(8) Validates Credentials in LDAP Source configured
(10) Gets Consent Page from OAuth ServerConsent Page

(9) Send Consent Page with Scopes

(11) Give Consent. Send directly to OAuth Server

Consent Provided

(12) Validates consent.
(14) Owner Browser receives  Redirect HTTP/1.1 302 Found
Location: https://client.com/redirect?


(13) Send Redirect to Redirect URL

(15) Owner Browser redirects

(16) Client Gets the Authorization Code

Sends request to Token Endpoint of OAuth Server

POST /token HTTP/1.1

Host: oauth.server.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic xxxclientidxxxclientsecretxxx


(17) Validates Authorization Header for Client ID and Client Secret

Validates if Authorization Code is valid
(19) Client receives  the Access TokenHTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8

{  “access_token”: “ttttttttt”,
  “token_type”: “Bearer”,
  “expires_in”: 3600,
  “refresh_token”: “rrrrrrrr”,
  “scope”: “email” }

(18) Create an Access Token and send it back to the Client

Scopes are sent if the granted scopes differ from the requested ones.

(20) Client sends API request to Resource Server

GET /api
Authorization: Bearer ttttttttt
Host: resource.server.com

(21) receives  API request from Client
(24) Resource Owner receives  the Resource(23) Client receives  the Resource


(22) Verify Token with OAuth Server

Send the resource back to Client.


1 comment on OAuth 2.0 Cheat Sheet: What is OAuth 2? – Actors, EndPoints, Grant Types, OAuth Flows

Leave a Reply

Your email address will not be published. Required fields are marked *