OAuth 2.0 and Authorization Flows Cheat Sheet

Updated 2026-03-18

Next Topic: ORM and Database Abstraction Tools Cheat Sheet

OAuth 2.0 is an industry-standard authorization protocol that enables applications to obtain limited access to user resources without exposing credentials, forming the foundation for secure delegated access across the modern web. It separates authentication from authorization, allowing resource owners to grant third-party applications specific permissions through structured flows while maintaining control over their data. The protocol's flexibility supports diverse client types—from high-security server applications to browser-based SPAs and native mobile apps—while its extension ecosystem (PKCE, DPoP, PAR, mTLS) addresses evolving security threats and deployment scenarios. Understanding OAuth 2.0's flows, token types, and security parameters is essential for building secure APIs, implementing single sign-on, and protecting user data in distributed systems.

What This Cheat Sheet Covers

This topic spans 16 focused tables and 110 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Core Authorization FlowsTable 2: PKCE Security ParametersTable 3: Token Types and PropertiesTable 4: OAuth 2.0 Scopes and PermissionsTable 5: Token Management OperationsTable 6: Client Authentication MethodsTable 7: OAuth 2.0 EndpointsTable 8: Authorization Request ParametersTable 9: OAuth 2.0 Client TypesTable 10: OpenID Connect and OAuth 2.0 IntegrationTable 11: Advanced OAuth ExtensionsTable 12: Security Best Practices and ConsiderationsTable 13: OAuth 2.0 Error Codes and ResponsesTable 14: OAuth 2.0 Providers and PlatformsTable 15: Single Sign-On (SSO) ImplementationTable 16: OAuth 2.1 Changes from OAuth 2.0

Table 1: Core Authorization Flows

Flow	Example	Description
Authorization Code Flow with PKCE	`GET /authorize?response_type=code` `&code_challenge=E9Melhoa...` `&code_challenge_method=S256`	• Most secure flow for web and mobile apps • PKCE mandatory in OAuth 2.1 &bull • exchanges authorization code for tokens at server &bull • protects against interception attacks using dynamically generated code verifier/challenge pair.
Client Credentials Flow	`POST /token` `grant_type=client_credentials` `&client_id=xyz&client_secret=abc`	• Machine-to-machine (M2M) authentication without user interaction &bull • service accounts exchange client ID/secret directly for access token &bull • ideal for backend microservices, APIs, scheduled jobs, and server-to-server integration.
Resource Owner Password Credentials (ROPC)	`POST /token` `grant_type=password` `&username=user&password=pass`	• Legacy flow where app collects user credentials directly &bull • bypasses authorization server consent screen &bull • high security risk as credentials exposed to client &bull • incompatible with MFA &bull • use only for migration scenarios.
Device Authorization Flow	`POST /device_authorization` `→ user_code: WDJB-MJHT` `→ verification_uri: /device`	• Designed for input-constrained devices (smart TVs, IoT, CLI tools) &bull • user completes authorization on separate device with full browser &bull • device polls token endpoint using device_code until user approves or request expires.

Table 1: Core Authorization Flows

Flow	Example	Description
Authorization Code Flow with PKCE	`GET /authorize?response_type=code` `&code_challenge=E9Melhoa...` `&code_challenge_method=S256`	• Most secure flow for web and mobile apps • PKCE mandatory in OAuth 2.1 &bull • exchanges authorization code for tokens at server &bull • protects against interception attacks using dynamically generated code verifier/challenge pair.
Client Credentials Flow	`POST /token` `grant_type=client_credentials` `&client_id=xyz&client_secret=abc`	• Machine-to-machine (M2M) authentication without user interaction &bull • service accounts exchange client ID/secret directly for access token &bull • ideal for backend microservices, APIs, scheduled jobs, and server-to-server integration.
Resource Owner Password Credentials (ROPC)	`POST /token` `grant_type=password` `&username=user&password=pass`	• Legacy flow where app collects user credentials directly &bull • bypasses authorization server consent screen &bull • high security risk as credentials exposed to client &bull • incompatible with MFA &bull • use only for migration scenarios.
Device Authorization Flow	`POST /device_authorization` `→ user_code: WDJB-MJHT` `→ verification_uri: /device`	• Designed for input-constrained devices (smart TVs, IoT, CLI tools) &bull • user completes authorization on separate device with full browser &bull • device polls token endpoint using device_code until user approves or request expires.