English for OAuth2 Flows
Learn the English vocabulary for OAuth2 authorization: grant types, tokens, and scopes, explained for discussing authentication and authorization clearly.
“OAuth” gets used as a catch-all for login, authentication, and authorization, but those are three different concepts, and OAuth2 itself is really a family of different flows for different client types — precise vocabulary here prevents genuinely insecure implementations, not just confusing conversations.
Key Vocabulary
Authorization code flow — the OAuth2 grant type where a client redirects the user to an authorization server, receives a short-lived code on redirect back, and exchanges that code server-side for tokens, keeping tokens out of the browser’s URL and history. “We use the authorization code flow with PKCE for the web app, so the actual access token is never exposed in a redirect URL that could end up in browser history or referrer headers.”
Access token — the credential a client presents to an API to prove it’s authorized to act on a resource, typically short-lived and scoped to specific permissions. “The access token expires in fifteen minutes, so the client needs to refresh it well before making a long-running API call.”
Refresh token — a longer-lived credential used to obtain a new access token without requiring the user to log in again, issued alongside the access token in flows that support it. “We store the refresh token securely server-side and use it to silently mint new access tokens, so the user’s session doesn’t expire every fifteen minutes.”
Scope — a string identifying a specific permission being requested (read:orders, write:profile), letting a client request only the access it actually needs rather than a blanket grant.
“The integration only requested the read:orders scope, so even with a leaked token, an attacker couldn’t modify anything — just read order data.”
PKCE (Proof Key for Code Exchange) — an extension to the authorization code flow that prevents an intercepted authorization code from being exchanged by an attacker, required for public clients like mobile and single-page apps that can’t securely store a client secret. “Since this is a single-page app with no way to keep a secret confidential, we’re required to use PKCE — it binds the code exchange to the same client that started the flow.”
Common Phrases
- “Which grant type are we using here — authorization code, or client credentials?”
- “Is the access token scoped narrowly enough, or is it requesting more than it needs?”
- “Are we using PKCE on this flow, since it’s a public client?”
- “How long does the refresh token live before it needs re-authentication?”
- “Is this an authentication check or an authorization check we’re actually doing here?”
Example Sentences
Reviewing a new integration’s OAuth setup:
“This client is requesting the admin:all scope for a feature that only needs to read user profiles — can we narrow the scope request before this ships?”
Explaining a session-expiry bug: “Users were getting logged out every fifteen minutes because we weren’t using the refresh token to silently renew the access token — we were just letting the session die and forcing a full re-login.”
Flagging a security gap in code review: “This is a single-page app doing the authorization code flow without PKCE, which means an intercepted code could be exchanged by anyone. We need to add PKCE before this goes to production.”
Professional Tips
- Distinguish authentication (“who are you”) from authorization (“what can you do”) explicitly — OAuth2 is fundamentally an authorization framework, and conflating the two leads to real security gaps.
- Always name the specific grant type in design discussions rather than saying “we’re using OAuth” — authorization code, client credentials, and device flow solve different problems and have different security properties.
- Push back on overly broad scope requests in code review — the specific string requested should map to the specific permission the feature actually needs.
- Require PKCE for any public client (mobile, SPA) using the authorization code flow — flag its absence explicitly as a security issue, not a style preference.
Practice Exercise
- Write a sentence distinguishing an access token from a refresh token.
- Explain why PKCE matters for a single-page app.
- Describe what a narrowly scoped OAuth request looks like versus a broad one.