Module 9 - Security

OAuth 2.0 & OIDC

Secure authorization without sharing passwords-the foundation of "Sign in with Google."

1The Valet Key Analogy

Simple Analogy

A valet key lets the valet park your car but not open the trunk or glove box. You're granting limited access without giving them your main key. OAuth works the same-an app gets limited access to your Google data without knowing your Google password.

OAuth 2.0 is an authorization framework for granting limited access. OIDC (OpenID Connect) adds authentication on top-it tells you who the user is.

2Key Players

Resource Owner

The user who owns the data (you)

You want to let an app access your Google Calendar

Client

The app requesting access

A scheduling app like Calendly

Authorization Server

Issues tokens after user consent

accounts.google.com

Resource Server

Hosts the protected data

Google Calendar API

3Authorization Code Flow

The most secure flow for web apps with a backend:

User clicks 'Sign in with Google'

App redirects to Google with client_id and scopes

User logs into Google

Google shows consent screen: 'App wants to access your calendar'

User grants consent

Google redirects back with authorization code

App exchanges code for tokens

Backend sends code + client_secret to Google

Google returns tokens

Access token (short-lived) + refresh token (long-lived)

App uses access token

Calls Google Calendar API with Bearer token

4OAuth vs OIDC

OAuth 2.0

Purpose: Authorization

Provides: Access token

Answers: What can this app do?

Access user's photos, post on their behalf

OIDC

Purpose: Authentication + Authorization

Provides: ID token + Access token

Answers: Who is this user?

Get user's email, name, profile picture

OIDC adds an ID token (JWT) containing user info. Without OIDC, OAuth only grants access-you don't know WHO granted it.

5Token Types

Access Token

15 min - 1 hour

Authorize API calls. Sent in Authorization header.

Short-lived. If leaked, damage is limited.

Refresh Token

Days to months

Get new access tokens without user login.

Store securely. Can be revoked.

ID Token (OIDC)

Varies

Contains user identity (sub, email, name).

JWT format. Verify signature before trusting.

6Common Scopes

Scope	Access Granted
openid	Basic OIDC. Required for ID token.
profile	User's name, picture, etc.
email	User's email address
offline_access	Refresh token for long-term access
calendar.read	Read user's calendar (provider-specific)

7Key Takeaways

1OAuth 2.0 = authorization (what can app do). OIDC = authentication (who is user).

2Authorization Code flow is most secure for web apps with backend.

3Access tokens are short-lived. Refresh tokens get new access tokens.

4Scopes limit what the app can access. Request minimum needed.

5Never store tokens in localStorage. Use httpOnly cookies or secure storage.

?Quiz

1. 'Sign in with Google' to get user's email uses:

2. Access token leaked. Why is damage limited?