logoDigital Platform Architect

OAuth2 & OIDC Patterns

Secure authorization and authentication patterns using OAuth2 flows and OpenID Connect for identity federation.

Architecture Diagram

OAuth 2.0 Authorization Code Flow with PKCESecure authorization flow showing user authentication, client authorization, and protected resource access with PKCE security extension.🔐 OAuth 2.0 + PKCE Flow👤 UserResource Owner• Authenticates• Grants permission📱 Client AppSPA / Mobile App• Uses PKCE• Public client🏛️ Auth ServerIdentity Provider• Issues tokens• Validates PKCE🔌 Resource APIProtected Resources• Validates tokens• Returns data🔄 Authorization Code Flow with PKCESteps:1️⃣ Client generates PKCE: code_verifier + code_challenge2️⃣ Login request3️⃣ Authorization request+ code_challenge4️⃣ User authenticationLogin form & credentials5️⃣ Grant permissionUser consent6️⃣ Authorization codeRedirect + code7️⃣ Token requestcode + code_verifier8️⃣ Access + ID tokensJWT tokens9️⃣ API requestBearer access_token🔟 Protected resourceAPI response data🔒 Security Features• PKCE prevents code interception attacks• State parameter prevents CSRF attacks🎫 Token Types• Access Token: API authorization (short-lived)• ID Token: User identity (OIDC)

What it is

OAuth2 provides secure authorization flows, while OpenID Connect adds authentication. Together they enable identity federation and API access control.

Common Flows

  • Authorization Code Flow: Server-side apps with confidential clients
  • PKCE Flow: Mobile and SPA apps requiring additional security
  • Client Credentials Flow: Service-to-service authentication
  • Device Flow: Input-constrained devices (IoT, smart TV)

Token Types

  • Access Token: Bearer token for API authorization (JWT or opaque)
  • Refresh Token: Long-lived token for obtaining new access tokens
  • ID Token: JWT containing user identity information (OIDC)
  • Token introspection for real-time validation

Security Considerations

  • Token storage and transmission security
  • Proper scope management and least privilege
  • Token lifetime and refresh strategies
  • PKCE for public clients and CSRF protection

When to use

  • API access control and resource protection
  • Single sign-on across multiple applications
  • Third-party integrations and partner access
  • Modern web and mobile application authentication