CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

OAuth 2.0

networking PHP 7.0+ Intermediate

Also Known As

OAuth2 OAuth

TL;DR

An authorisation framework that allows applications to obtain limited access to user accounts on third-party services without exposing passwords.

Explanation

OAuth 2.0 defines several grant types for different use cases. The Authorization Code flow (with PKCE for public clients) is the most secure: the user authenticates with the identity provider, receives a short-lived code, and the client exchanges it for tokens. The Implicit flow is deprecated. Client Credentials is used for machine-to-machine. OAuth 2.0 handles authorisation only; OpenID Connect adds identity (authentication) on top.

Diagram 

sequenceDiagram
    participant U as User
    participant C as Client App
    participant A as Auth Server
    participant R as Resource Server
    U->>C: Click Login with Google
    C->>A: Redirect + client_id + state + scope
    A->>U: Show login and consent screen
    U->>A: Approve
    A->>C: Redirect with code + state
    C->>A: POST code + client_secret
    A->>C: access_token + id_token
    C->>R: GET /userinfo Bearer token
    R->>C: User profile data

Common Misconception

OAuth 2.0 is an authentication protocol — it is an authorisation framework; use OpenID Connect on top for authentication.

Why It Matters

OAuth flaws (missing state validation, open redirect_uri) enable account takeover without ever needing the user's password.

Common Mistakes

  • Not validating the state parameter — enables CSRF against the OAuth callback.
  • Not restricting redirect_uri — any URI can receive the authorisation code.
  • Using Implicit flow — the access token is exposed in the browser URL and history.
  • Not validating the id_token audience (aud) claim when using OIDC — tokens issued to other clients are accepted.

Code Examples

✗ Vulnerable 
// Missing state validation — CSRF on OAuth callback:
$code = $_GET['code'];
// state parameter not checked — attacker can forge the callback
$tokens = exchangeCode($code);
loginUser($tokens);
✓ Fixed 
// State validation prevents CSRF:
$state = $_GET['state'] ?? '';
if (!hash_equals($_SESSION['oauth_state'], $state)) {
    throw new SecurityException('Invalid state — possible CSRF');
}
unset($_SESSION['oauth_state']);
$tokens = exchangeCode($_GET['code']);
Added 15 Mar 2026
Edited 22 Mar 2026
Views 27

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 2 pings S 0 pings S 1 ping M 1 ping T 0 pings W 0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 1 ping T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 5 Google 2 Ahrefs 2 Majestic 1
Also referenced
JWT Vulnerabilities 55 Two-Factor Authentication (2FA) 27 OAuth 2.0 Vulnerabilities 18 OpenID Connect (OIDC) 18
How they use it
crawler 17 crawler_json 1
Related categories
security 4k networking 494
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: High
⚡ Quick Fix
Use an established OAuth2 library (league/oauth2-client) — implement state parameter to prevent CSRF, use PKCE for public clients, and never put client_secret in frontend code
📦 Applies To
PHP 7.0+ web api
🔗 Prerequisites
🔍 Detection Hints
OAuth2 implementation without state parameter verification or client_secret exposed in JavaScript
Auto-detectable: ✗ No semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: High Context: File Tests: Update
CWE-287 CWE-601
✓ schema.org compliant