OAuth 2.0 / OpenID Connect

Overview

OAuth 2.0 is the industry standard for API authorization, and OpenID Connect (OIDC) extends it for user authentication. Together they provide Authorization Code + PKCE for secure token exchange, JWT-based identity tokens, refresh token rotation, and integration with identity providers (Auth0, Okta, Keycloak, Google, Azure AD) for social login and enterprise SSO.

Instructions

• When implementing authentication, use the Authorization Code + PKCE flow for all client types (SPAs, mobile, server) since it is the only secure flow; never use the deprecated Implicit or Resource Owner Password flows.
• When validating tokens on the API side, verify the JWT signature using the provider's JWKS endpoint, check exp, iss, and aud claims, and never trust client-side token validation alone.
• When storing tokens in web apps, use httpOnly, secure, sameSite=lax cookies; never store tokens in localStorage since it is vulnerable to XSS.
• When managing token lifecycle, use short-lived access tokens (5-15 minutes) with refresh token rotation where each refresh token is single-use and a new one is issued with each refresh.
• When integrating a provider, use the discovery endpoint (/.well-known/openid-configuration) for auto-configuration rather than hardcoding endpoints.
• When implementing logout, revoke the refresh token, clear the session, and redirect to the provider's logout endpoint for complete session termination.

Examples

Example 1: Add social login to a Next.js app with PKCE