Skip to content
ProtocolSoup

OAuth 2.0

OAuth 2.0

Section titled “OAuth 2.0”

Standards

Section titled “Standards”
  • RFC 6749 — OAuth 2.0 Authorization Framework
  • RFC 7636 — Proof Key for Code Exchange (PKCE)
  • RFC 7662 — Token Introspection
  • RFC 7009 — Token Revocation
  • RFC 8628 — Device Authorization Grant

Available Flows

Section titled “Available Flows”
Flow IDNameDescription
authorization_codeAuthorization CodeStandard redirect-based authorization
authorization_code_pkceAuthorization Code + PKCEAuthorization code with code verifier/challenge
client_credentialsClient CredentialsMachine-to-machine token issuance
refresh_tokenRefresh TokenToken renewal without re-authorization
token_introspectionToken IntrospectionValidate and inspect active tokens (RFC 7662)
token_revocationToken RevocationInvalidate tokens (RFC 7009)
device_codeDevice CodeAuthorization for input-constrained devices (RFC 8628)
implicitImplicit (Legacy)Browser-based flow, deprecated per security BCP
passwordResource Owner Password (Legacy)Direct credential exchange, deprecated

Demo Scenarios

Section titled “Demo Scenarios”
  • Authorization Code Flow Demo — Complete redirect flow with consent
  • PKCE Flow Demo — PKCE challenge/verifier exchange
  • Client Credentials Demo — Direct client authentication
  • Token Refresh Demo — Refresh grant with token rotation

Endpoints

Section titled “Endpoints”
PathMethodsPurpose
/oauth2/authorizeGET, POSTAuthorization endpoint
/oauth2/tokenPOSTToken endpoint
/oauth2/introspectPOSTToken introspection
/oauth2/revokePOSTToken revocation
/oauth2/demo/usersGETList demo users
/oauth2/demo/clientsGETList demo clients

What To Validate

Section titled “What To Validate”
  • PKCE code_challenge and code_verifier alignment
  • Token claims: iss, sub, aud, exp, iat, scope
  • Introspection response: active, token_type, scope
  • Revocation: subsequent introspection returns active: false
  • Device code: polling interval, authorization_pending vs slow_down