oAuth for Beginners - How oauth authentication🔒 works ?

Am I correct if I say, the Authorization is done once at the set-up time, and access code is generated for every request?

​@@ThoufiqShamin I am wondering the same.

Thankyou 🙏

Congratulations 🎊

1. Reduced Exposure of Tokens
Authorization Code Flow: The access token is not exposed in the user-agent (browser) or returned directly to the client application via the front channel (e.g., as a URL fragment). Instead, the authorization code is obtained through the user-agent but must be exchanged for an access token using a back-channel request from the server. This means the access token is transmitted directly from the authorization server to the application server, never passing through the client's browser.
Implicit Flow: The access token is delivered directly to the user-agent, making it more susceptible to being exposed in URLs, browser history, logs, or potentially malicious scripts running in the browser.
2. Client Authentication
Authorization Code Flow: This flow allows the client (application) to authenticate itself to the authorization server when exchanging the authorization code for an access token. This is typically done using the client secret, which only the client and the authorization server know. This step significantly reduces the risk of tokens being issued to malicious parties.
Implicit Flow: There is no client authentication involved when obtaining the access token, which makes it less secure, particularly for applications that can maintain confidentiality (e.g., server-side applications).
3. Short-Lived Authorization Codes
Authorization Code Flow: The authorization codes are short-lived and can only be used once. If an authorization code is intercepted, it becomes useless once it's exchanged for an access token. This minimizes the window for potential misuse.
Implicit Flow: Since access tokens are directly issued, any interception gives immediate access to the attacker.
4. Possibility of Using Refresh Tokens
Authorization Code Flow: This flow supports the issuance of refresh tokens (depending on the authorization server's policy), allowing applications to obtain new access tokens without requiring the user to authenticate again. This is particularly useful for applications needing long-term access to a resource server without compromising security.
Implicit Flow: Typically, refresh tokens are not issued because of the security implications of having such tokens in a less secure environment (like a browser).
5. Secure Token Handling and Storage
Authorization Code Flow: Since the tokens are obtained via a back-channel and can be stored securely on the server, it mitigates common threats such as Cross-Site Scripting (XSS) or other attacks that could compromise tokens stored or handled client-side.
Implicit Flow: Tokens stored in the browser are more vulnerable to being stolen through XSS or other similar attacks.
The Authorization Code flow, by requiring an intermediate step (the exchange of the authorization code for an access token), adds a significant layer of security that protects both the resource owner and the client application. It is particularly suited for applications that can maintain the confidentiality of their credentials and for scenarios where token theft or leakage could lead to significant security risks. The Implicit flow, while simpler and more direct, is generally recommended only for clients that are unable to securely store credentials and where the access token has limited permissions and a short lifespan.

I must say thats a fantastic question, from business perspective Google or Amazon knows that eventually users will end up using thier platforms if there is a dependency created like oAuth does. Secondly these giants needs user data insights for thier own business and letting other Apps use oAuth enable them to do so.

Thanks Anish ❤️☺️

Thanks

Thanks

❤️❤️❤️