GET <https://auth.example.com/oauth/authorize>
| Parameter | Description |
|---|---|
| response_type=code | Indicates you’re requesting an authorization code. They can be hardcoded in SDK already. |
| client_id=YOUR_CLIENT_ID | Identifies your app; registered on 3rd console beforehand. |
| redirect_uri=https://yourapp.com/oauth/callback | Where to send the user (and the code) after authorization. Must match the one registered. |
| state=random_csrf_token | A random string generated by your backend to prevent CSRF attacks. We must verify it later. |
| scope=profile email | Permissions you’re requesting. Each provider defines scopes differently. |
| code_challenge=BASE64URL(SHA256(code_verifier)) | (PKCE) Used for public clients (like SPAs or mobile). Optional for confidential backends. |
| code_challenge_method=S256 | (PKCE) Hash method used. |
access_type / token_access_type / offline_access“Do I want a refresh token or only a short-lived access token?”
OAuth 2 is designed for browsers originally, where refresh tokens were too risky.
TODO: Why it is too risky to browsers?
Modern OAuth clients (web backends, mobile apps) need long-term access.
online → no refresh tokenoffline → issue a refresh tokenAzure / Okta
No parameter. Instead, it’s a scope
scope=offline_access
prompt“Show a login screen? Force consent? Let user choose account?”
OAuth doesn’t define front-end flows, it provides flexibility to control user interaction during login/consent. The concept comes from OpenID Connect (OIDC) — which is layered on top of OAuth 2.
Google / Azure / Okta
prompt value |
UI | Common real-world scenario |
|---|---|---|
select_account |
Always show the account-chooser UI, even if the user is already logged in | User has multiple Google accounts and you want them to pick explicitly (e.g., Drive sync, Gmail integration) |
consent |
Always show the consent screen again, even if the user already granted these scopes | You changed requested scopes, or want to refresh user consent |
login |
Always show the login screen; forces user to re-authenticate | High-security actions (e.g., linking a bank account) |
none |
Don’t show any UI. Silent authentication; if not possible → return an error | Background token refresh in a browser session |