OAuth2 & Authorization Server
OAuth2 and Authorization Server, flows (authorization code, client credentials), resource server, scopes
1What is OAuth2?
What is OAuth2?
回答
OAuth2 is an authorization protocol that allows a third-party application to obtain limited access to an HTTP service on behalf of a user, without exposing the user's credentials. It works via access tokens rather than passwords. OAuth2 is widely used for delegated authentication (login via Google, GitHub, etc.) and secured REST APIs.
2What is the most secure OAuth2 flow for web applications?
What is the most secure OAuth2 flow for web applications?
回答
The Authorization Code flow is the most secure because the access token is never exposed to the browser. The backend application exchanges a temporary authorization code for an access token via a secure channel (backend-to-backend). With PKCE (Proof Key for Code Exchange), this flow becomes even more secure against interception attacks.
3When should the Client Credentials flow be used?
When should the Client Credentials flow be used?
回答
The Client Credentials flow is designed for machine-to-machine (service-to-service) communication without user context. The client application authenticates directly with its own credentials (client_id and client_secret) to obtain an access token. Used for batch jobs, microservices, or backend APIs acting on their own behalf.
What is PKCE (Proof Key for Code Exchange) in OAuth2?
Why is the Implicit flow deprecated in OAuth2?
+17 面接問題