Skip to content

OAuth 2.0 Examples

Authorization Code Flow

The standard OAuth 2.0 Authorization Code Grant.

pidl generate oauth2_authorization_code

Entities

Entity Type Role
user user Resource owner
browser browser User agent
client client Application requesting access
auth_server authorization_server Issues tokens
resource_server resource_server Protected API

Phases

  1. Authorization Request: User initiates login
  2. User Authentication: User authenticates with auth server
  3. Authorization Grant: User consents to access
  4. Token Exchange: Client exchanges code for tokens
  5. Resource Access: Client accesses protected resources

PKCE Flow

OAuth 2.0 with Proof Key for Code Exchange for public clients.

pidl generate oauth2_pkce

Additional Security

  • code_verifier: Random string generated by client
  • code_challenge: SHA256 hash of verifier
  • Server validates verifier matches challenge

Example with Annotations

{
  "from": "client",
  "to": "auth_server",
  "action": "token_request",
  "annotations": [
    {
      "type": "security",
      "text": "Validate code_verifier against code_challenge"
    }
  ]
}

OpenID Connect

OpenID Connect Authentication built on OAuth 2.0.

pidl generate oidc_authentication

Additional Flows

  • ID Token returned with access token
  • UserInfo endpoint for profile data
  • openid scope required

Diagram

pidl generate -f mermaid oidc_authentication