π― What is OAuthΒ ?
β‘ Simple Definition
OAuth (Open Authorization) = A framework that allows apps to get limited access to user accounts on other apps WITHOUT sharing passwords!
ποΈ Real-Life Example
Example: "Login with Google" on Spotify
π€ You visit Spotify
β
π Spotify asks: "Login with Google?"
β
π Goes to Google login page
β
π€ You login to Google
β
π Google asks: "Allow Spotify to see your profile?"
β
π€ You click "Allow"
β
π Google sends OK to Spotify
β
π Spotify logs you inπ₯ 3 Main Players in OAuth
1οΈβ£ Resource Owner (You)
π€ The user who owns the data
βββ Has account on Google/Facebook/etc.
βββ Controls what apps can access
βββ Says YES or NO to access requests2οΈβ£ Client App (Spotify/App)
π The app wanting your data
βββ Wants to access your info
βββ Starts the OAuth process
βββ Uses tokens to get your data
Examples:
β’ Spotify wanting your Google profile
β’ App requesting Facebook contacts
β’ Website using GitHub login3οΈβ£ OAuth Provider
π The big company hosting your data
βββ π‘οΈ Authorization Server
β βββ Handles login
β βββ Creates codes
β βββ Makes tokens
β
βββ π¦ Resource Server
βββ Stores your data
βββ Checks tokens
βββ Gives data when asked
Examples:
β’ Google
β’ Facebook
β’ GitHub
β’ Microsoftπ‘ Common Uses
π Single Sign-On (SSO)
βββ "Login with Google"
βββ "Continue with Facebook"
βββ "Sign in with GitHub"
π± App Connections
βββ "Give Spotify your Facebook friends"
βββ "Allow app to read emails"
βββ "Connect Instagram to posting tool"
π Service Links
βββ Link GitHub to Slack
βββ Connect Google Drive to Dropbox
βββ Sync calendar with task appβοΈ Good vs Bad
β
BENEFITS:
βββ π You don't share passwords
βββ π― Control what apps can access
βββ π Easy to remove access
βββ π Same system everywhere
βββ π± Works on phone and computer
β PROBLEMS:
βββ π΄ Rules can be confusing
βββ π΄ Many security options (easy to miss)
βββ π΄ Developers make mistakes
βββ π΄ Many moving parts
βββ π΄ Often misunderstoodπ History
π
2006 β Twitter talks about open auth
π
2007 β OAuth 1.0 discussions start
π
2010 β OAuth 1.0 published
π
2012 β OAuth 2.0 released (current)
π
2014 β OpenID Connect released
π
2016 β More security rules added
π
2019-2025 β Many security holes found
π
2025 β OAuth 2.1 coming (more secure)π OAuth 1.0 vs 2.0
π OAuth 1.0a (Old)
π Released: 2010
β οΈ Status: Old (don't use new)
Key Points:
βββ Needs complex signatures
βββ Hard to build right
βββ Very secure by design
βββ Every request must be signed
Why Not Used:
β Too hard for developers
β Bad for mobile/apps
β Complex to do rightπ OAuth 2.0 (Current)
π Released: 2012
β
Status: What everyone uses now
Key Points:
βββ Easier to build
βββ Multiple ways to work
βββ Uses simple bearer tokens
βββ Great for mobile/web
βββ Flexible framework
Security Warning:
β οΈ Easier = Some security trade-offs
β οΈ Needs HTTPS always
β οΈ Many optional security features
β οΈ Different apps do it differentlyπ Quick Comparison
ββββββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ
β β OAuth 1.0a β OAuth 2.0 β
ββββββββββββββββββββΌβββββββββββββββΌβββββββββββββββ€
β Signatures β Required β Optional β
β HTTPS Required β No β Yes β
β Complexity β High β Low β
β Token Types β 1 type β Many types β
β Mobile Support β Bad β Excellent β
β Security β Built-in β Up to you β
β Easy to Build β No β Yes β
ββββββββββββββββββββ΄βββββββββββββββ΄βββββββββββββββπ¬ How OAuth 2.0 Works
π Basic Flow (8 Steps)
Step 1: User Clicks Login
π€ You click "Login with Google" on App
Step 2: Go to Google
π App β π€ β Goes to Google
Step 3: You Login
π€ You enter Google username/password
π Google checks it's really you
Step 4: You Say Yes
π Google asks: "Allow App to see your profile?"
π€ You click "Allow"
Step 5: Google Sends Code
π Google β π€ β Returns to App with code
Step 6: App Gets Token
π App β π Google β Trades code for token
Step 7: App Gets Your Data
π App β π¦ Google β Uses token to get your info
Step 8: You're Logged In
π App β π€ β Creates session, you're in!ποΈ Key Parts of OAuth
π Access Token
What: Short-lived key for API access
Format: Random string or JWT
Lasts: 1-60 minutes usually
Use: To get protected data
Example:
Bearer eyJhbGciOiJIUzI1NiIs...π Refresh Token
What: Long-lived key to get new access tokens
Format: Random string
Lasts: Days to years
Use: Get new tokens without login
β οΈ Security: VERY important - keep safe!π Authorization Code
What: Temp code traded for token
Format: Random string
Lasts: 30-60 seconds
Use: Middle step in some flows
Example:
4/P7q7W91a-oMsCeLvIaQm6bTrgtp7π« ID Token
What: Proof of who you are (JWT)
Format: JWT
Use: Says "this is really this user"
Has: User ID, email, name, etc.
Example:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ...π Important Parameters
Login Request:
client_id β Which app is asking
redirect_uri β Where to send user after
response_type β What to return (code/token)
scope β What permissions needed
state β Security token (stop CSRF)
nonce β Stop replay attacks
code_challenge β Extra security (PKCE)Example Login URL:
https://accounts.google.com/o/oauth2/v2/auth?
client_id=123456789.apps.googleusercontent.com&
redirect_uri=https://myapp.com/callback&
response_type=code&
scope=openid profile email&
state=af0ifjsldkj&
nonce=n-0S6_WzA2MjToken Request:
grant_type β What type (code, refresh)
code β Code received
client_id β App ID
client_secret β App secret (if has one)
redirect_uri β Must match
refresh_token β For new tokensExample Token Request:
POST /token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=123456789.apps.googleusercontent.com&
client_secret=gX_rR3RvA7wke47dwxMvSg_E&
redirect_uri=https://myapp.com/callbackToken Response:
{
"access_token": "ya29.a0AfH6SMBx...",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "openid profile email",
"refresh_token": "1//0gOj4ZfYRMG5C...",
"id_token": "eyJhbGciOiJSUzI1NiIs..."
}π― Common Scopes
What: Defines what app can do
Format: Words separated by spaces
Common Ones:
βββ openid β For login
βββ profile β Basic info (name, photo)
βββ email β Email address
βββ read:user β Read user data
βββ write:repo β Write to repos
βββ admin:org β Admin access
βββ offline_accessβ Get refresh token
Example:
scope=openid profile emailπ OAuth 2.0 Grant Types
π’ TYPE 1: Authorization Code (Most Secure)
β
Most secure way
β
Back-channel used
β
Best for web apps
β
Needs app secret
β
Token never in browserHow It Works:
1. User β App
Click "Login with Google"
2. App β User (Browser)
Go to: Google?client_id=APP&response_type=code
3. User β Google
Login & say "Allow"
4. Google β User (Browser)
Return to: app.com/callback?code=XYZ
5. App β Google (Server)
POST: trade code for token
6. Google β App
Give: access_token, refresh_token
7. App β Google API
Use token to get user data
8. App β User
Create session, user logged inSecurity:
β
Code used only once
β
Code lasts 30-60 seconds
β
Needs app secret
β
Token via secure channel
β
Token never in browser
β
state stops CSRFBest For:
β
Websites with backend
β
Apps that can keep secrets
β
When security is #1
β
Traditional web appsπ‘ TYPE 2: Implicit (Deprecated)
β οΈ DON'T USE (OAuth 2.1 removes it)
β οΈ Less secure
β οΈ Token in browser
β οΈ No app secretFlow:
1. User β App
Click "Login"
2. App β User
Go to: Google?response_type=token
3. User β Google
Login & allow
4. Google β User
Return to: app.com#access_token=XYZ
5. App (JavaScript) gets token from URL
6. App β Google API
Use token to get dataProblems:
β Token in URL (browser sees it)
β Browser history has token
β No app check
β Token in JavaScript
β XSS attacks can steal itWhy Not Use:
π΄ OAuth 2.1 removes it
π΄ Use Authorization Code + PKCE instead
π΄ Too many security risksπ΅ TYPE 3: Authorization Code + PKCE
β
Secure for public apps
β
No app secret needed
β
Best for mobile/SPA
β
Standard in OAuth 2.1
β
Stops code stealingPKCE Parts:
π code_verifier β Random string (43-128 chars)
π code_challenge β SHA256(code_verifier)
π method β "S256" or "plain"Flow:
1. App makes random code_verifier
verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
2. App makes code_challenge
challenge = SHA256(verifier) then base64
3. App β User
Go to: Google?code_challenge=E9Melhoa...
4. User β Google
Login & allow
5. Google β User
Return to: app.com?code=XYZ
6. App β Google
POST: code=XYZ & code_verifier=original
7. Google checks:
SHA256(verifier) == challenge?
8. If match, gives tokenSecurity Benefits:
β
Stops code stealing
β
No app secret needed
β
Even if code stolen, can't use without verifier
β
Good for public appsBest For:
β
Mobile apps
β
Single-page apps (SPA)
β
Desktop apps
β
Any app without secret
β
RECOMMENDED FOR ALL in OAuth 2.1π£ TYPE 4: Password Credentials (Avoid)
β οΈ User gives password to app
β οΈ Only for very trusted apps
β οΈ NOT recommended
β οΈ Legacy use onlyFlow:
1. User β App
Give username/password
2. App β Google
POST: username=user&password=pass&grant_type=password
3. Google β App
Give access_tokenWhy Avoid:
β App sees your password
β Password exposed to app
β No "allow" screen
β Hard to remove access
β Security anti-patternOnly Use If:
πΈ Moving from old system to OAuth
πΈ Same company's mobile app
πΈ Very trusted only
πΈ No other option
Better: β
Authorization Code + PKCEπ TYPE 5: Client Credentials
β
App-to-app only
β
No user involved
β
Service accounts
β
Backend talking to backendFlow:
1. Service A β Google
POST: client_id=SERVICE&client_secret=SECRET&grant_type=client_credentials
2. Google β Service A
Give access_token
3. Service A β Service B
Use token to call APIUse Cases:
β
Microservices talking
β
Background jobs
β
Scheduled tasks
β
Server-to-server calls
β
Automated processesπ TYPE 6: Refresh Token
β
Get new token without login
β
Long-lived token
β
More sensitive than access token
β
Can be removedFlow:
1. Token expires
App tries API, gets 401 error
2. App β Google
POST: grant_type=refresh_token&refresh_token=OLD_TOKEN
3. Google β App
Give new access_token, maybe new refresh_token
4. App uses new tokenSecurity Notes:
β
Refresh tokens last long
β
Store VERY securely
β
User can remove them
β
New refresh token each time is good
β
Tie to specific appπ Grant Type Comparison
ββββββββββββββββββββ¬βββββββββββ¬βββββββββββ¬βββββββββββ¬βββββββββββ
β βAuth Code βImplicit β PKCE β Client β
β β β(Old) β β Creds β
ββββββββββββββββββββΌβββββββββββΌβββββββββββΌβββββββββββΌβββββββββββ€
βUser Involved β Yes β Yes β Yes β No β
βApp Secret Needed β Required β No β No β Required β
βSecurity Level β High β Low β High β Medium β
βToken in Browser β No β Yes β No β No β
βBest For β Web β N/A β Mobile/ β App-to- β
β β Apps β β SPA β App β
βOAuth 2.1 Status β β
β β β β
β β
β
ββββββββββββββββββββ΄βββββββββββ΄βββββββββββ΄βββββββββββ΄βββββββββββπ Using OAuth for Login
π― How Apps Use OAuth for Login
Original OAuth Purpose:
βββ Let apps access data
βββ NOT for proving who you are
Common Use:
βββ "Sign in with Google"
βββ "Login with Facebook"
βββ "Continue with GitHub"How It's Done:
Step 1: Ask for basic info
π App asks to see your profile
Step 2: OAuth happens
π App gets access token
Step 3: Get your info
π¦ App asks for: /userinfo
Step 4: App logs you in
π App uses email to know who you are
π Creates session for you
Result: You're logged in via OAuthβ οΈ Problems
π΄ OAuth wasn't made for login
π΄ No standard way to get user info
π΄ Token β proof of identity
π΄ No standard user ID
π΄ No login event info
π΄ Token might be reused
Solution: OpenID Connect (OIDC)π OpenID Connect (OIDC)
π What is OIDC?
OpenID Connect = Login layer on top of OAuth 2.0
Purpose:
β
Standard login via OAuth
β
Get user identity info
β
Add login-specific features
β
Fix OAuth-for-login problemsπ OIDC vs OAuth 2.0
OAuth 2.0:
βββ Access control
βββ "What can you access?"
βββ Gives access tokens
OpenID Connect:
βββ Login system
βββ "Who are you?"
βββ Gives access + ID tokens
βββ Standard user infoπ Key OIDC Features
1οΈβ£ ID Token (JWT)
What: JWT with who-you-are info
Format: JWT (header.payload.signature)
Use: Prove user login
Has: User identity + login details
Example:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.
eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20i...
What's Inside:
{
"iss": "https://accounts.google.com",
"sub": "110169484474386276334",
"email": "user@example.com",
"email_verified": true,
"name": "John Doe",
"picture": "https://lh3.googleusercontent.com/..."
}ID Token Info:
iss (issuer) β Who made token
sub (subject) β User's unique ID
aud (audience) β Who token is for
exp (expires) β When token ends
iat (made at) β When token made
auth_time β When user logged in
nonce β Stop replay attacks2οΈβ£ /userinfo Endpoint
Where: /userinfo
Use: Get detailed user info
How: GET with token
Request:
GET /userinfo
Authorization: Bearer TOKEN
Response:
{
"sub": "248289761001",
"name": "Jane Doe",
"email": "jane.doe@example.com",
"email_verified": true
}3οΈβ£ Standard Scopes
openid β Required for OIDC
profile β Basic profile (name, photo)
email β Email address
address β Home address
phone β Phone number
offline_access β Get refresh token
Example:
scope=openid profile email4οΈβ£ Discovery Endpoint
Where: /.well-known/openid-configuration
Use: Find OIDC info automatically
Example URL:
https://accounts.google.com/.well-known/openid-configuration
Returns:
{
"issuer": "https://accounts.google.com",
"authorization_endpoint": ".../auth",
"token_endpoint": ".../token",
"userinfo_endpoint": ".../userinfo"
}π Finding OAuth/OIDC
π― How to Spot OAuth
See It:
β
"Sign in with Google" button
β
"Continue with Facebook" option
β
"Login with GitHub" link
β
Social login buttons
β
SSO choicesTechnical Signs:
1. Use Burp Suite to watch traffic
2. Look for /authorize endpoint
3. Check URL for:
βββ client_id
βββ redirect_uri
βββ response_type (code/token/id_token)
βββ scope
βββ state
Example:
GET /oauth/authorize?
client_id=123456&
redirect_uri=https://app.com/callback&
response_type=code&
scope=read:user&
state=random123OIDC Signs:
β
scope has "openid"
β
response_type has "id_token"
β
/.well-known/openid-configuration exists
β
ID token in response
β
/userinfo endpoint there
Example OIDC:
GET /authorize?
client_id=123456&
redirect_uri=https://app.com/callback&
response_type=code&
scope=openid profile email&
state=random123&
nonce=abc789π Finding Steps
Step 1: Who's the Provider?
Check login page host:
βββ accounts.google.com β Google
βββ www.facebook.com β Facebook
βββ github.com β GitHub
βββ login.microsoftonline.com β MicrosoftStep 2: Map the Flow
1. Watch login request
βββ Note all parameters
βββ Check response_type
βββ Find grant type
2. Watch callback
βββ Check for code
βββ Check for token in URL
βββ Note state
3. Watch token exchange
βββ POST to /token
βββ Check for client_secret
βββ Note grant_type
4. Watch API calls
βββ Look for Authorization header
βββ Note Bearer tokens
βββ See what data is fetchedStep 3: Check for OIDC
Visit: https://provider.com/.well-known/openid-configuration
If exists β Using OIDC
Check for:
β
Endpoints list
β
Features supported
β
Token types
β
Grant typesπ Keep Learning
π OAuth 2.1 Specification (when available)
π OpenID Connect Core 1.0
π OWASP Authentication Cheat Sheet
π RFC 6749 (OAuth 2.0)
π RFC 6750 (Bearer Tokens)
π RFC 7636 (PKCE)
π RFC 8705 (OAuth 2.0 Mutual TLS)
π RFC 9449 (OAuth 2.0 Demonstrating Proof of Possession)π οΈ Tools for Testing
π§ Burp Suite Professional (OAuth/OpenID modules)
π§ OAuth 2.0 Playground (Google)
π§ Postman OAuth 2.0 flows
π§ OWASP ZAP (with OAuth add-on)
π§ mitmproxy
π§ jwt.io (JWT debugging)
π§ CanaryTokens for token leakage detection
π§ Custom scripts for automationπ Get Help
π OAuth 2.0 Security Best Practices (IETF)
π OWASP Web Security Testing Guide
π Security StackExchange
π Your organization's security team
π Professional penetration testers
π OAuth.net communityβ¨ Remember: OAuth is powerful but complex. Always prioritize security over convenience. Test thoroughly, implement carefully, and monitor continuously. β¨
.
π If this helped you β clap it up (you can clap up to 50 times!)
π Follow for more writeups β dropping soon
π Share with your pentest team
π¬ Drop a comment