What is the purpose of the OAuth 2.0 Authorization Code flow?
Authorization Code flow: the user authenticates with the authorization server and approves scope. The server issues a code the app exchanges for tokens. The user's credentials are never shared with the third-party application.
2 / 5
What is the PKCE extension and which flow does it secure?
PKCE: prevents authorization code interception attacks for mobile and SPA clients. The client generates a code verifier and hashes it into a code challenge sent upfront; the server verifies the original verifier at token exchange.
3 / 5
When is the Client Credentials flow appropriate?
Client Credentials: the client (a backend service) authenticates with its own client ID and secret to obtain a token. No user is involved. Used for service-to-service calls in microservices and daemon processes.
4 / 5
What is an access token versus a refresh token in OAuth 2.0?
Access vs refresh token: access tokens are sent with every API call and are short-lived (minutes to hours). Refresh tokens are stored more securely, are longer-lived, and are presented to the token endpoint to get a new access token without re-authenticating the user.
5 / 5
What is the scope parameter in OAuth 2.0?
Scope: defines the permissions being requested (e.g., read:email write:posts). The user sees the scopes during the consent screen and can approve or deny them. The issued token is limited to the granted scopes.