Module 9 · Protocols, Security, ObservabilityDay 08625 min

OAuth 2.1 and OIDC

Delegated authorization vs identity — and why both matter.

← Previous Next →

Day 086

OAuth 2.1 and OIDC

25m

focus

User

client

SPA

service

AuthZ Server

external

Resource Server

service

Signal path

Authorization code with PKCE

User

client

flow

SPA

service

SPA

service

code

AuthZ Server

external

SPA

service

access_token

Resource Server

service

Memory hook

OAuth 2.1 and OIDC: delegated authorization vs identity

Mental model

design for the day something breaks

Design lens

Implicit flow is deprecated.

Recall anchors

OAuth — authorizationOIDC — identityFlows

Why it matters

OAuth 2.1 grants a client access to a user's resources without sharing credentials. OIDC layers identity on top with ID tokens. Modern best practice: authorization code + PKCE for browsers and mobile.

1Distinguish OAuth (authorization) from OIDC (identity).
2Use authorization code flow with PKCE.
3Avoid implicit flow and client secrets in browsers.

Deep dive

Authorization code: client redirects user to authorization server; receives code; exchanges for tokens.

PKCE binds the code to the client, defeating interception.

Refresh tokens persist sessions; rotate them and bind to client.

Demo / scenario

SPA logs in via Google.

App generates code_verifier + challenge.
Redirect to Google with challenge.
Google redirects back with code.
App exchanges code+verifier for tokens.

Tradeoffs

Implicit flow is deprecated.
Refresh-token rotation prevents replay.
ID tokens shouldn't be used for API auth — use access tokens.

Diagram

Authorization code with PKCE.

Mind map

Check yourself

Loading quiz…

Sources & further reading

OAuth 2.1 draft

← Previous Next →