Stage 3 · Build
Authentication & Authorization
OAuth2 Flows
Use authorization code with PKCE, scopes, callback handlers, and provider metadata discovery.
OAuth2 Overview
OAuth2 lets users grant your application limited access to their accounts on other services. Instead of sharing passwords, users authorize your app through a consent screen. Your app receives an access token with specific permissions.
Authorization Code with PKCE
Authorization Code with PKCE is the recommended OAuth2 flow for web and mobile applications. PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks.
Provider Discovery
Most OAuth2 providers publish their configuration at a well-known URL. This eliminates hardcoded endpoints and lets you support multiple providers with the same code.
Callback Handlers
Scopes
Scopes define what your application can access. Request the minimum scopes needed. Common scopes include openid (identity), profile (name, picture), and email.
| Scope | Access Granted | Use Case |
|---|---|---|
| openid | User ID | Authentication |
| profile | Name, avatar | User display |
| Email address | Account creation | |
| repo | GitHub repositories | Repository access |
| calendar | Calendar events | Event management |
Token Exchange
After authorization, exchange the code for access and refresh tokens. The access token is short-lived. The refresh token lets you get new access tokens without user interaction.
Access tokens and refresh tokens are credentials. Store them encrypted at rest. Never log them. Never expose them in URLs or error messages.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.