OAuth 2.0 là gì? Luồng Authorization Code flow hoạt động thế nào?

OAuth 2.0 là authorization framework — delegated authorization (không phải authentication).

Phân biệt: OAuth cho authorization (app có quyền gì), OpenID Connect (OIDC) là layer trên OAuth cho authentication (ai đang login, trả về ID token).

Authorization Code flow chi tiết:

1. App redirect user đến Authorization Server với client_id, redirect_uri, scope, state (CSRF protection), code_challenge (PKCE);
2. User authenticate và consent;
3. Auth Server redirect về app với authorization code;
4. App exchange code cho access token qua back-channel request (POST, client_secret không expose trong URL);
5. App dùng access token để call protected APIs;
6. Refresh token để get new access token khi expire

PKCE (Proof Key for Code Exchange): app tạo code_verifier (random string), gửi code_challenge = hash(code_verifier) trong step 1, gửi code_verifier trong step 4 — server verify hash match — ngăn authorization code interception attack, bắt buộc cho public clients (SPA, mobile).

Implicit flow: deprecated — trả access token trực tiếp trong URL, exposure risk.

Client credentials flow: machine-to-machine, không có user — backend service gọi API.

Scopes: granular permissions (read:email, write:calendar) — request chỉ scopes cần thiết.

Token storage: access token trong memory (SPA), refresh token trong HttpOnly cookie — không dùng localStorage cho sensitive tokens.

OAuth 2.1 (đang chuẩn hóa) gộp các best practices: PKCE bắt buộc cho mọi client, xóa Implicit và Resource Owner Password Credentials flows.

OAuth 2.0 is an authorization framework — delegated authorization (not authentication).

Distinction: OAuth is for authorization (what permissions an app has), OpenID Connect (OIDC) is a layer on top of OAuth for authentication (who is logging in, returns an ID token).

Authorization Code flow in detail:

1. App redirects user to the Authorization Server with client_id, redirect_uri, scope, state (CSRF protection), code_challenge (PKCE);
2. User authenticates and consents;
3. Auth Server redirects back to the app with an authorization code;
4. App exchanges the code for an access token via a back-channel request (POST — client_secret is never exposed in the URL);
5. App uses the access token to call protected APIs;
6. Refresh token is used to obtain a new access token when it expires

PKCE (Proof Key for Code Exchange): the app generates a code_verifier (random string), sends code_challenge = hash(code_verifier) in step 1, and sends code_verifier in step 4 — the server verifies the hash matches — prevents authorization code interception attacks; mandatory for public clients (SPA, mobile).

Implicit flow: deprecated — returns the access token directly in the URL, exposure risk.

Client credentials flow: machine-to-machine, no user — a backend service calls an API.

Scopes: granular permissions (read:email, write:calendar) — request only the scopes you need.

Token storage: access token in memory (SPA), refresh token in an HttpOnly cookie — do not use localStorage for sensitive tokens.

OAuth 2.1 (in standardization) consolidates current best practices: PKCE required for all clients, Implicit and Resource Owner Password Credentials flows removed.