OAuth 2.0 / OIDC Threat Model Lifecycle

Interactive OAuth threat-model flow

Arrows are generated from the stage-to-stage edge list, so each arrow connects the correct block in the lifecycle order.

Authorization Code + PKCE

Client configuration and request

Browser redirect and callback

Server token, session, API lifecycle

App registration

Client, redirect URI, scopes, app metadata.

Design-time trust

User starts flow

Flow binding

Authorization request

response_type, client_id, redirect_uri, scope, state, PKCE.

High risk

Consent screen

User approves app and permissions.

Forced consent

Callback redirect

Authorization code returns to client.

Top failure point

Browser landing page

URL, referrer, scripts, images, postMessage.

Leakage

Token exchange

Code exchanged for access/refresh tokens.

Single-use code

Session and account link

OIDC login maps identity to local account.

ATO risk

API access

Use token for resource calls and scopes.

Scope enforcement

Refresh, revoke, logout

Long-lived sessions and token rotation.

Lifecycle risk

Learning OAuth: Authorization Code + PKCE, with OIDC login notes

Click a step to see the API request/response shape and the exact fields that matter for security review. OAuth 2.0 authorizes API access; OIDC adds authentication and ID tokens when scope includes openid.

OAuth 2.0 + OIDC where scope=openid

Build auth request

Client sends browser to authorization endpoint.

/authorize

User authenticates

Authorization server logs in user and asks consent.

User + AS

Callback with code

Browser returns code and state to redirect_uri.

/callback

Exchange code

Public clients use PKCE; confidential clients also authenticate.

/token

Call API

Resource server checks bearer token and scopes.

Bearer token

Refresh / revoke

Client rotates or revokes long-lived access.

Lifecycle

Where OAuth and OIDC login flows break, and where to fix them.