Web Development Programming

OAuth 2.0 and OpenID Connect Implementation: A Beginner's Practical Guide

Updated on
10 min read

OAuth 2.0 and OpenID Connect (OIDC) are crucial frameworks for managing delegated access and identity on the web. These technologies allow modern applications to securely access user data without handling sensitive credentials. Developers, security professionals, and anyone interested in authentication will benefit from this guide, which covers core concepts, common flows, and implementation strategies to build secure applications.

1. Core Concepts and Roles

Understanding core concepts and roles makes following OAuth 2.0 and OIDC flows more intuitive.

Key Actors:

  • Resource Owner: Typically, the user whose data is being accessed.
  • Client: The application requesting access (may include web apps, mobile apps, or backend services).
  • Authorization Server (AS) / Identity Provider (IdP): Issues tokens and handles authentication (for example, Auth0, Okta, Keycloak).
  • Resource Server: The API serving protected resources and validating access tokens.

Token Types:

  • Access Token: Used by the client to access the resource server; may be a JWT (JSON Web Token) or an opaque string.
  • Refresh Token: Allows clients to obtain new access tokens without user interaction; typically long-lived and sensitive.
  • ID Token (OIDC): A JWT containing identity claims about the user (e.g., sub, iss, aud). This token authenticates the user to the client.

Scopes and Claims:

  • Scopes: Strings representing permissions requested by the client (e.g., openid, profile, email, api.read). They limit what the access token can do.
  • Claims: Pieces of information in tokens (e.g., sub = subject/user ID, iss = issuer, aud = audience, exp = expiration).

2. Common OAuth 2.0 and OIDC Flows

Here are the most commonly used flows, along with suitable use cases:

Authorization Code Flow (for server-side web apps):

  • Steps:
    1. User clicks “Login” on the client and is redirected to the Authorization Server (AS).
    2. User authenticates and provides consent.
    3. AS redirects back to the client with an authorization code.
    4. Client (server) exchanges the code for tokens using its client secret.

This flow is secure for server-side apps because the client secret and token exchange happen on a trusted backend.

PKCE (Proof Key for Code Exchange) for Public Clients:

  • PKCE safeguards public clients (e.g., mobile apps, SPAs) from authorization code interception by generating a random code_verifier and deriving a code_challenge (SHA256).

Client Credentials Flow (Machine-to-Machine):

  • This flow involves no user; a trusted service retrieves an access token using its client ID/secret to call another API.

Deprecated Flows:

  • The Implicit Flow and Resource Owner Password Credentials (ROPC) are discouraged for most use cases. Utilize Authorization Code with PKCE for public clients instead.

Flow Recommendation Table:

App TypeRecommended Flow
Server-side web appAuthorization Code
Single Page App (SPA)Authorization Code with PKCE
Native mobile appAuthorization Code with PKCE
Backend service / daemonClient Credentials

3. OIDC Specifics: ID Token, UserInfo, and Discovery

The ID Token is a JWT containing claims about authentication and the user. Important claims include:

  • iss: The issuer identifier (the identity provider).
  • sub: A unique ID for the user.
  • aud: Client ID (or list) intended to receive the token.
  • exp: Expiration time.
  • iat: Issued at timestamp.
  • nonce: Used to associate requests and responses (to prevent replay).

Validation Checklist (Always verify these):

  1. Ensure the signature is verified with the AS public key (JWKS).
  2. Check that the issuer (iss) matches the expected value.
  3. Confirm that the audience (aud) includes your client ID.
  4. Verify that the exp has not passed.
  5. If you included a nonce in the request, ensure it matches.

UserInfo Endpoint vs. ID Token:

  • While the ID Token includes claims returned during authentication, the UserInfo endpoint can be accessed using an access token to obtain additional profile claims as needed.

Discovery and JWKS:

  • The discovery document (/.well-known/openid-configuration) allows clients to auto-discover endpoints (authorization, token, jwks_uri). For more, see the OpenID Connect Discovery section in the spec.
  • The JWKS endpoint provides public keys used to verify JWT signatures, eliminating the need for hard-coded keys.

4. Step-by-Step Implementation Checklist

  1. Choose an Identity Provider (IdP):

    • Managed providers (like Auth0, Okta, Azure AD B2C) allow quick starts, offering SDKs and dashboards.
    • Self-hosted options (such as Keycloak, IdentityServer) provide control but require operational work.
    • Helpful links include Auth0 Flows Docs and Okta’s Auth-Code Guide.

  2. Register Your Application:

    • Obtain client ID (and client secret for confidential clients).
    • Configure exact redirect URIs to avoid redirect_uri_mismatch errors.
    • Define allowed scopes (openid is vital for OIDC; add profile, email, and API scopes as needed).

  3. Implement Client-Side Logic:

    • Recommended libraries include MSAL (Microsoft), oidc-client-js (SPA), openid-client (Node), oauthlib (Python), spring-security-oauth2 (Java), and Keycloak adapters.
    • Utilize SDKs for token refresh, session management, and PKCE handling rather than crafting flows from scratch.

  4. Server-Side Token Handling and Resource Server Validation:

    • Validate access tokens at the resource server by verifying JWT signatures or employing introspection.
    • Protect token storage: keep refresh tokens in HTTP-only secure cookies on the server side. Avoid long-lived tokens in browsers.

  5. Environment and Redirect URI Considerations:

    • For localhost testing, maintain exact redirect URIs (e.g., http://localhost:3000/callback).
    • For mobile apps, use custom URI schemes or claimed HTTPS redirects (e.g., com.example.app://callback).
    • If running an IdP in containers (like Keycloak), familiarize yourself with container networking basics: Container Networking Guide.
    • For IdP integrations with on-prem directories (LDAP), see the LDAP Integration for Linux Systems Guide.

  6. Token Storage Tips:

    • For web apps (backend), store tokens on the server; utilize secure, HTTP-only cookies for session state.
    • For SPAs or mobile apps, opt for in-memory storage or secure platform storage while avoiding long-lived refresh tokens in localStorage. Favor Authorization Code with PKCE.

Example: Exchanging Code for Tokens (cURL)

curl -X POST \
  -d "grant_type=authorization_code&code=AUTH_CODE&redirect_uri=https://app.example.com/callback&client_id=CLIENT_ID&code_verifier=CODE_VERIFIER" \
  https://idp.example.com/oauth/token

If tokens are opaque, utilize the introspection endpoint to verify them on your resource server.

5. Security Best Practices

  • Use HTTPS Everywhere: Never transmit tokens or credentials over plain HTTP.
  • Employ PKCE for Public Clients: This is essential for SPAs and native apps.
  • Use Short-Lived Access Tokens: Implement refresh token rotation or revocation to minimize risk.
  • Adhere to Least Privilege Principles: Request only the scopes necessary for your application.
  • Protect Against CSRF: Utilize the state parameter to correlate authentication requests and responses.
  • Safeguard Secrets: Never embed client secrets in mobile apps or SPAs.
  • Avoid Token Exposure in URLs: Use POST or cookies when appropriate to prevent token leakage.
  • Utilize Secure, HTTP-Only, SameSite Cookies: This practice reduces XSS and CSRF vulnerabilities.
  • Keep Libraries Updated: Monitor for provider advisories to stay secure.

Common Parameters to Mitigate Attacks

  • state: A random string sent with the authorization request, verified upon return.
  • nonce: A unique value that prevents replay attacks in ID Tokens.

Token Rotation and Revocation

  • Refresh tokens should be rotated on use, with old tokens revoked server-side when supported. This practice diminishes the risk window in case of token leakage.

6. Testing, Debugging, and Useful Tools

Tools and Workflows:

  • jwt.io: Decode a JWT to inspect headers and claims. Useful for verifying iss, aud, and exp.
  • Postman: Emulate authorization flows and token exchange calls.
  • cURL: Script token exchanges and introspection calls.
  • openid-client (Node): Programmatic testing and discovery.
  • oauth2-proxy: Useful for protecting applications with OAuth.

Inspecting a JWT: Look for the following:

  • Header: Algorithm (alg) and key ID (kid).
  • Payload: iss, sub, aud, exp, iat, and custom claims.
  • Signature: Verify using JWKS.

Common Errors and Fixes:

  • redirect_uri_mismatch: Ensure that the exact redirect URI is registered.
  • invalid_client: Check for incorrect client ID/secret or a rotated secret.
  • invalid_grant: Verify if the code is wrong, expired, or has already been used.
  • CORS Issues for SPAs: Ensure the authorization server’s token endpoint permits your origin; it’s recommended to handle token exchanges on a backend to avoid CORS.

Utilize browser developer tools to track redirects and network requests. Review IdP logs for authentication errors and token issuance issues.

7. Example: Implementing Authorization Code + PKCE with a Public SPA (Short Walkthrough)

  1. Register the SPA with Your IdP:
    • Set the type to public client, add redirect URI (e.g., https://localhost:3000/callback), and enable the Authorization Code flow.
  2. Generate PKCE Values (JavaScript Example):
// Simple PKCE generation using Web Crypto
async function generatePKCE() {
  const codeVerifier = base64urlEncode(window.crypto.getRandomValues(new Uint8Array(32)));
  const digest = await window.crypto.subtle.digest('SHA-256', new TextEncoder().encode(codeVerifier));
  const codeChallenge = base64urlEncode(new Uint8Array(digest));
  return { codeVerifier, codeChallenge };
}

function base64urlEncode(buf) {
  return btoa(String.fromCharCode(...new Uint8Array(buf)))
    .replace(/\+/g, '-')
    .replace(/\//g, '_')
    .replace(/=+$/, '');
}
  1. Redirect the User to the Authorization Endpoint: Include parameters: response_type=code, client_id, redirect_uri, scope=openid profile, code_challenge, code_challenge_method=S256, and state.
  2. Exchange the Authorization Code on the Server Side or from the SPA:
    • If exchanging from the SPA, use the token endpoint and provide the code_verifier.
    • Prefer backend exchanges whenever feasible to reduce CORS and potential token leaks.
  3. Call API with Access Token:
curl -H "Authorization: Bearer <ACCESS_TOKEN>" https://api.example.com/user/profile

Storage Guidance:

  • For SPAs, keep tokens short-lived; store them in memory or use secure browser storage judiciously.
  • Leverage libraries like oidc-client-js or provider SDKs to avoid common pitfalls.

8. Best Practices Checklist & Next Steps

Actionable Checklist Before Production:

  • Enforce TLS for all endpoints.
  • Use Authorization Code + PKCE for public clients.
  • Validate ID Tokens and Access Tokens server-side.
  • Implement short-lived tokens and rotate refresh tokens.
  • Limit scopes and apply least privilege.
  • Conduct state and nonce validation.
  • Secure client credentials and refrain from embedding them in public apps.
  • Configure logging and alerting for authentication events.
  • Publish a security.txt for production services (guidance).

Monitoring and Logging:

  • Log token issuance events and track failed authentication attempts.
  • Monitor for abnormal patterns, such as many failed logins, unusual IP addresses, or unexpected token refresh activities.

Where to Learn More

  • Experiment with sandbox IdPs (Auth0/Okta offer free tiers) or set up Keycloak in a home lab (building a home lab guide).
  • For setting up a local Linux development environment on Windows, see Install WSL on Windows.
  • Automate deployments using Ansible for repeatable IdP configurations (Ansible Guide).

9. Further Reading and References

Authoritative Specs and Docs:

Provider Docs and Practical Guides:

Tools and Community Resources:

Additional Internal Resources (TechBuzzOnline):

Closing Notes OAuth 2.0 and OpenID Connect may seem complex initially. However, focusing on core roles, recommended flows such as Authorization Code + PKCE for public clients, and solid security practices will guide you considerably. Start with trusted libraries and managed providers, practice in a sandbox, and progressively enhance your design as you gain experience. If you would like a hands-on walkthrough for a specific provider (Auth0, Okta, Keycloak) or sample code for a backend in Node, Python, or Java, please let me know your preferred tech stack!

TBO Editorial

About the Author

TBO Editorial writes about the latest updates about products and services related to Technology, Business, Finance & Lifestyle. Do get in touch if you want to share any useful article with our community.