Free AI web copilot to create summaries, insights and extended knowledge, download it at here
9578
Abstract
<figcaption>Authrization code flow with PKCE for the TeamCollab</figcaption></figure><blockquote id="894c"><p>What actually happens in the PKCE is first the client will generate a code and Hash it (With SHA-256). Then sends the hashed result along with the request to the Auth server. Then later when client submits the authorization code, it must send the previously generated code (pure code before getting hashed). Then the authorization server will apply the SHA-256 and verify whether it equals to the previously received Hashed code(at the first request).</p></blockquote><h2 id="8d95">Why This Flow Matters</h2><p id="e58b">Now, imagine if there was <b>no Authorization Code Flow</b>. You would be logging into TeamCollab and entering your Google email and password <b>directly into TeamCollab’s app</b>. This would lead to serious security risks:</p><ul><li><b>Credential Sharing</b>: TeamCollab would need to store your Google username and password, making it a prime target for attackers. If TeamCollab is hacked, your Google credentials (and any other users’) would be exposed.</li><li><b>Overprivileged Access</b>: Once you share your Google credentials, TeamCollab would have full access to your entire Google account — not just the parts you authorized. Without a way to scope the access (like tokens), the app could read all your emails, change settings, or worse.</li><li><b>No Revocation</b>: If TeamCollab were compromised or you stopped trusting it, the only way to revoke its access would be to change your Google password, which would be a huge inconvenience.</li></ul><h1 id="90ca">2. Client Credentials Flow in TeamCollab</h1><p id="8837">Let’s say TeamCollab provides an automated backup service for companies. This service periodically backs up all team-related documents and project files stored in Google Drive to a secure internal storage system (within TeamCollab). Since this backup task needs to happen on behalf of the <b>company</b> and not on behalf of a specific user, no individual user needs to log in. Instead, TeamCollab itself acts as the client, needing access to the company’s Google Drive storage for this scheduled task.</p><p id="8d20">Here, we use the <b>Client Credentials Flow</b>, where <b>TeamCollab</b> (the client) directly requests a token from Google’s authorization server to access company files for backups.</p><h2 id="f07a">Step-by-Step Flow:</h2><ol><li><b>TeamCollab Identifies Itself</b>: When it’s time to perform the backup, TeamCollab’s internal service reaches out to Google’s authorization server. Since there’s no specific user involved, it identifies itself using its <b>client ID</b> and <b>client secret</b>, which are like the app’s credentials. These credentials were issued by Google when TeamCollab integrated with Google Drive as a trusted client.</li><li><b>Token Request</b>: TeamCollab sends a request to Google’s authorization server, saying, “Hey, I’m TeamCollab, and I need access to Google Drive for backups. Here’s my client ID and secret.”</li><li><b>Token Issuance</b>: Google’s authorization server verifies TeamCollab’s credentials (client ID and client secret) and, if everything checks out, issues an <b>access token</b>.</li><li><b>Accessing the Resources</b>: TeamCollab takes the access token and uses it to access the company’s Google Drive. It retrieves the documents and project files necessary for the backup and stores them securely in its internal storage.</li><li><b>Token Expiration</b>: Just like in the <b>Authorization Code Flow</b>, the token has an expiration time. When the token expires, TeamCollab can request a new token using the same client credentials without any user intervention.</li></ol><figure id="aaac"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*LowSaXsXnHE5CKp4xzj8zA.png"><figcaption></figcaption></figure><h2 id="272f">Why Client Credentials Work Here</h2><p id="87dd">Now, you might wonder: <b>“Why is it okay to use a client ID and client secret to get a token in this scenario?”</b></p><p id="649b">Let’s break it down:</p><ol><li><b>No User Involvement</b>: In this scenario, no specific user is involved. The backup service is purely a <b>machine-to-machine</b> operation. It’s TeamCollab, as a system, interacting with Google Drive to retrieve files. Since no user is logging in, we don’t need to worry about user credentials, login screens, or handling sensitive user data.</li><li><b>Why Client ID and Client Secret are Safe</b>: TeamCollab uses its <b>client ID</b> and <b>client secret</b> (think of these as app credentials) to authenticate itself with Google. These credentials are securely stored on TeamCollab’s servers and never exposed publicly. This is a safe and standard practice because:</li></ol><blockquote id="42be"><p><b>It’s secure</b>: The client secret is stored securely on the server, not shared with end users or exposed in insecure environments (like browsers or mobile devices).</p></blockquote><blockquote id="bc8c"><p><b>No human interaction</b>: Since this process doesn’t involve a user logging in, there’s no risk of password sharing or phishing.</p></blockquote><blockquote id="2ad3"><p><b>Automated process</b>: The service can run automatically without requiring any manual steps or user intervention, which is ideal for background tasks like backups.</p></blockquote><p id="4ac1">3. <b>Machine-to-Machine Authentication</b>: The <b>Client Credentials Flow</b> is designed exactly for this kind of use case where one system (TeamCollab) needs to authenticate itself to another system (Google) and access resources without any user interaction. This flow is perfect for scenarios like background services, data syncs, or system-level integrations where no human needs to be involved.</p><h1 id="6f32">3. Device Code Grant in TeamCollab</h1><p id="6d4c">Imagine <b>TeamCollab</b> is installed on a large <b>smartboard</b> in your company’s meeting room. Team members can use the smartboard to manage tasks, review project timelines, or even access shared Google Drive files during meetings. However, the smartboard doesn’t have a keyboard or a convenient way to log in. You can’t type in your email and password on a large screen, especially in front of everyone.</p><p id="6384">In this situation, we need a way to let users securely log into TeamCollab <b>on the smartboard</b>, without directly entering credentials on the device itself. This is where the <b>Device Code Grant</b> flow comes into play.</p><p id="5900">The <b>Device Code Grant</b> is designed for devices like TVs, smartboards, or other gadgets that don’t have an easy input method for typing usernames and passwords.</p><h2 id="ce2c">Step-by-Step Flow:</h2><p id="ebb6">1.<b>Initiating the Login</b>: A user walks up to the smartboard in the meeting room, taps on the TeamCollab app, and selects “Log in to TeamCollab.” Instead of showing a keyboard or asking for credentials, the smartboard displays a <b>unique code</b> (let’s call it a <b>device code</b>) and a <b>URL</b> like <a href="https://login.teamcollab.com/device."><code>https://login.teamcollab.com/dev</code>ice.</a> This can be put into a QR code and ask the user to scan the QR code with another device.</p><p id="2198">2.<b>User Action on Another Device</b>: The user is instructed to take out their <b>phone</b> or <b>laptop</b> (something that has a proper keyboard and browser) and navigate to the displayed URL. There, they’re asked to <b>enter the device code</b> that’s shown on the smartboard.</p><blockquote id="ce6f"><p>For example, the smartboard might show something like:
<i>“To log in, go to <a href="https://login.teamcollab.com/device">https://login.teamcollab.com/device</a> and enter the code: <b>ABC123</b>.”</i></p></blockquote><blockquote id="823c"><p>Or else Scan the QR code which will navigate to the above url with the code embedded in the URL</p></blockquote><p id="97f3">3.<b>Authentication on a Personal Device</b>: Once the user opens the URL on their personal device (phone or laptop) and it redirects the user to the login page. After they authenticate successfully.
Here if user’s tries to access the Google drive files then the TeamCollab’s auth service will redirect the user to the respective Google’s login and then Google asks for their permission to allow TeamCollab (on the smartboard) to access their Google Drive and other resources.</p><p id="499e">4.<b>Granting Permission</b>: After the user consents, TeamCollab’s Authorization server provides an <b>access token</b> to TeamCollab, which can then be used on the smartboard. TeamCollab automatically detects that the login process is complete and grants access to the user’s files and tasks on the smartboard. Here SmartBoard App keeps polling the TeamCollab’s auth service by checking whether user has logged in or not.</p><p id="9c02">5.<b>Access Granted</b>: The smartboard, now having received the token, can use it to interact with TeamCollab services without the user ever having to type in their credentials on the device itself. The user is securely logged in, and the smartboard can now be used to manage tasks, review files, and collaborate in real-time.</p><figure id="1e92"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*g3Y980sYElG-q7XtKD9yng.png"><figcaption>How device grant is used in a smartboard</figcaption></figure><h2 id="9dbb">Why Device Code Grant is Used Here</h2><p id="fe59">The <b>Device Code Grant</b> flow solves a very specific problem: how to log into devices that don’t have a user-friendly way to enter text, l
# Options
ike smartboards or even TVs. Here’s why this flow is particularly useful:</p><ol><li><b>Input Limitation</b>: Devices like smartboards or TVs aren’t designed for entering usernames and passwords easily. The <b>Device Code Grant</b> allows users to authenticate using another, more convenient device (like their phone or laptop) where they can comfortably log in and grant access.</li><li><b>No Credential Exposure</b>: Since the user is never entering their credentials directly on the smartboard, there’s no risk of their password being exposed or compromised on a shared or insecure device. They’re only logging in via a trusted, personal device like their phone or computer.</li><li><b>Separation of Device and Authentication</b>: The <b>device code</b> separates the login process from the device itself. The smartboard or other limited-input device just needs to display the code and wait for the user to authenticate on another device. Once the authentication is completed on the personal device, the smartboard is granted access, but it never sees the user’s password or other sensitive information.</li></ol><p id="3069">The <b>Device Code Grant</b> flow in TeamCollab provides a perfect solution for scenarios where users need to authenticate on devices with limited input capabilities, like smartboards, while keeping their credentials secure and the process user-friendly.</p><h1 id="7f15">4. Refresh Token Flow in TeamCollab</h1><p id="ba5c">Let’s say you’ve logged into <b>TeamCollab</b> through the web app using the <b>Authorization Code Flow</b>. You’re working on a project and accessing your Google Drive files via TeamCollab. The access token TeamCollab received from Google has an expiration time — let’s say it’s valid for <b>one hour</b>. After that hour, the token will expire, and you won’t be able to continue accessing your Google Drive files unless you get a new token.</p><p id="08fc">This is where the <b>Refresh Token Flow</b> comes in handy.</p><h2 id="47c1">How the Refresh Token Flow Works:</h2><ol><li><b>Initial Token Issuance</b>: During the initial login (e.g., using the Authorization Code Flow), TeamCollab’s authorization server issues both an <b>access token</b> and a <b>refresh token</b>. The access token is used to communicate with Google’s APIs, and the refresh token is stored securely by TeamCollab for later use.</li><li><b>Access Token Expiry</b>: After an hour, the access token expires. Normally, you would need to go through the entire login process again to get a new access token, but since TeamCollab was also given a refresh token, it can use this to renew the access token automatically.</li><li><b>Token Renewal with the Refresh Token</b>: When TeamCollab notices that your access token has expired, it sends a request to the authorization server with the <b>refresh token</b>. The server verifies the refresh token and issues a <b>new access token</b> without requiring you to log in again.</li><li><b>Continued Access</b>: With the new access token in hand, TeamCollab can continue to access your Google Drive files seamlessly, without interrupting your workflow or making you log in again.</li></ol><h2 id="c1ab">Why the Refresh Token Flow is Useful</h2><p id="4d5f">The <b>Refresh Token Flow</b> provides a smooth user experience by avoiding frequent logins. Here’s why it’s beneficial:</p><ul><li><b>No Need for User Re-authentication</b>: Once logged in, the user can continue working without having to re-enter credentials every time the access token expires.</li><li><b>Long-Term Access</b>: The refresh token allows TeamCollab to renew access tokens in the background, ensuring uninterrupted access to resources over extended periods.</li><li><b>Security</b>: The refresh token itself is usually long-lived and can be securely stored on the server, minimizing the risk of exposure to the client or malicious actors.</li></ul><h1 id="9a12">Legacy Grant Types: Password Grant and Implicit Grant in TeamCollab</h1><p id="40ad">When OAuth 2.0 was first introduced, some systems were still heavily reliant on users providing their usernames and passwords to third-party services. To enable a <b>smooth transition</b> from these old methods to OAuth 2.0, the <b>Password Grant</b> and <b>Implicit Grant</b> were introduced. These grant types provided a way for existing systems to migrate to OAuth 2.0, but over time, as more secure and robust flows were developed, they became <b>legacy</b> and are no longer recommended for modern applications.</p><h2 id="fe9f">1. Password Grant (Resource Owner Password Credentials Grant)</h2><p id="f9c9"><b>How it works</b>: The <b>Password Grant</b> allows a user to provide their <b>username and password</b> directly to the client (in this case, TeamCollab), which then sends those credentials to the authorization server to obtain an <b>access token</b>.</p><ul><li><b>In TeamCollab’s case</b>: If we were to use the Password Grant flow, when a user logs into the TeamCollab web app, they would be asked to <b>enter their Google username and password directly into TeamCollab</b>. TeamCollab would then pass those credentials to Google’s authorization server and receive an access token to access the user’s Google Drive files.</li></ul><p id="b997"><b>Why it’s not recommended
</b>This method <b>exposes the user’s credentials</b> to the client app (TeamCollab), which completely defeats the purpose of OAuth 2.0’s primary goal — <b>avoiding the sharing of credentials</b> with third-party services. It increases the risk of a security breach, as TeamCollab would now be responsible for handling and protecting user credentials, which could be exposed or misused.</p><p id="2e22"><b>Why other grant types are better
</b>The <b>Authorization Code Flow</b> with PKCE ensures that the user’s credentials are <b>never shared</b> with TeamCollab. Instead, authentication is handled directly between the user and the trusted authorization server (like Google), which returns a token to TeamCollab. This keeps credentials secure and out of TeamCollab’s hands.</p><h2 id="3351">2. Implicit Grant</h2><p id="6e41"><b>How it works</b>: The <b>Implicit Grant</b> is a simplified version of the Authorization Code Flow, where the <b>access token</b> is returned <b>immediately</b> without the need for exchanging an authorization code. This grant type was primarily designed for <b>client-side (JavaScript) applications</b> where storing a client secret wasn’t secure or feasible.</p><ul><li><b>In TeamCollab’s case</b>: If we used the Implicit Grant flow for our <b>web app</b>, when a user logs in, TeamCollab would receive the <b>access token directly</b> in the browser after they authenticate with Google, without any further token exchange.</li></ul><p id="7c5e"><b>Why it’s not recommended
</b>The Implicit Grant has <b>security vulnerabilities</b> because the <b>access token</b> is exposed directly in the browser, making it more susceptible to being intercepted by malicious actors. Since there’s no client secret involved, it’s easier for attackers to obtain access tokens and compromise security.</p><p id="7768"><b>Why other grant types are better
</b>The <b>Authorization Code Flow with PKCE</b> ensures that the <b>access token is exchanged server-side</b>, keeping it out of the client (browser) and adding an extra layer of security with the <b>PKCE code challenge</b>. This makes the entire flow more secure, especially for public clients like web or mobile apps.</p><p id="0aed">While the <b>Password Grant</b> and <b>Implicit Grant</b> served a purpose during the early days of OAuth 2.0 to help older systems transition, they are now <b>legacy</b> and <b>deprecated</b> for modern applications. By using secure grant types like <b>Authorization Code Flow with PKCE</b>, <b>Client Credentials</b>, <b>Device Code</b>, and <b>Refresh Tokens</b>, TeamCollab ensures a <b>more secure</b> and <b>robust</b> experience for its users.</p><h1 id="8606">You’ve Mastered OAuth 2.0 Grant Types!</h1><p id="6ae8">Congratulations! You’ve now got a solid understanding of the <b>OAuth 2.0 grant types</b> and how they apply to real-world projects, just like our hypothetical <b>TeamCollab</b> solution. Whether it’s securing a web or mobile app with the <b>Authorization Code Flow with PKCE</b>, letting backend services talk securely using the <b>Client Credentials Flow</b>, enabling device-based logins with the <b>Device Code Flow</b>, or keeping sessions alive with the <b>Refresh Token Flow</b>, you’ve covered the essentials of modern, secure access management.</p><p id="3ce5">By learning how to apply these grant types in your applications, you’re not just improving the <b>user experience</b>, but also contributing to making the <b>digital world a safer place</b>. OAuth 2.0 provides a robust framework for ensuring that user credentials stay private, access is controlled and revocable, and different devices can communicate securely.</p><p id="9646">As you continue building applications, make sure to <b>choose the right OAuth 2.0 grant type</b> for each situation. By doing so, you’re helping raise the bar on <b>security standards</b> across the web, creating a more secure environment for everyone.</p><p id="398b">Thanks for taking this journey into OAuth 2.0 grant types with me! Stay tuned for another scenario-based article covering another exciting <b>software engineering topic</b> soon. Keep learning, keep building, and let’s continue making the world a safer and more innovative place together!</p><p id="06bf">Until next time! 👋</p></article></body>
