5 exercises on OAuth 2.0 and OpenID Connect authentication and authorization.
0 / 5 completed
1 / 5
What is the OAuth authorization code flow?
The authorization code flow is OAuth 2.0's most secure and common grant. The client redirects the user to the authorization server to log in and consent; the server redirects back with a short-lived authorization code. The client then exchanges that code — on a secure back-channel, along with its client secret — for an access token. Because tokens never travel through the browser URL, they are far less exposed than in the deprecated implicit flow. It suits web apps with a backend that can keep a secret.
2 / 5
What problem does PKCE solve in OAuth?
PKCE (Proof Key for Code Exchange) hardens the authorization code flow for public clients — mobile and single-page apps that cannot safely store a client secret. The client generates a random code verifier, sends its hashed code challenge when requesting the code, and later presents the original verifier when exchanging the code for tokens. The auth server checks they match, so an attacker who intercepts the authorization code cannot redeem it without the verifier. PKCE is now recommended for all OAuth clients, public or confidential.
3 / 5
How do an access token and a refresh token differ?
An access token is the credential the client presents to APIs (usually as a Bearer header) to prove it is authorized; it is deliberately short-lived to limit the damage if leaked. A refresh token is a longer-lived credential the client uses to request fresh access tokens from the auth server without making the user log in again. Refresh tokens are guarded carefully — stored securely and often rotated on each use — because they grant prolonged access. This split balances usability against security.
4 / 5
What is a scope in OAuth?
A scope is a space-delimited list of permission identifiers the client requests, such as read:profile or write:repos. The authorization server presents these to the user during consent and issues a token limited to the approved scopes, enforcing the principle of least privilege — the client gets only what it needs. Resource servers check the token's scopes before honoring a request. Scopes let one authorization system grant finely differentiated access across many APIs and operations.
5 / 5
What are JWT claims in OpenID Connect?
A JWT (JSON Web Token) carries claims — assertions about an entity encoded as JSON key-value pairs in the token's payload. Standard registered claims include sub (subject/user ID), iss (issuer), aud (intended audience), exp (expiry), and iat (issued-at). OpenID Connect adds the ID token, a JWT whose claims (like email and name) describe the authenticated user. Because the token is signed, a verifier can trust the claims without calling the issuer, after validating the signature, audience, and expiry.