What it is#
defines a handful of grant flows — authorisation code, client credentials, refresh token, device code — that exchange a user consent for a short-lived access token. The specification separates the roles of resource owner, resource server, client, and authorisation server, and assumes TLS throughout. PKCE, originally for mobile clients, is now the recommended default for every public client.
Why it matters#
Most modern authentication is wearing an identity hat, usually via OpenID Connect on top. Consent flows, SSO integrations, and API authorisations all lean on it. Misconfigurations — loose redirect URI matching, missing state parameters, token leakage through referers — have caused account takeover at major platforms.
Mitigation direction#
Pin exact redirect URIs, require PKCE for public clients, and validate the state parameter to stop cross-session during the code exchange. Store access tokens outside reach of third-party script and treat refresh tokens like any other long-lived credential, rotating them and binding them to client identifiers.