![Understand OAuth2 and OIDC in Practice](https://cdn.slatesource.com/1/0/4/1046183b-2377-444e-91ee-ae4fe5ef4610.jpg) # Understand OAuth2 and OIDC in Practice - [Made in Slatesource](https://slatesource.com/s/1023) - By [KaiRenner](https://slatesource.com/u/KaiRenner) - Science & Technology - Created on Mar 23, 2026 ## Why Can't the App Just Have My Password Before OAuth2, delegating access meant sharing credentials. If you wanted a third-party app to read your email, you gave it your email password — and it could do anything with that password, including change it, read messages you didn't intend to share, and keep it forever. OAuth2 solves the authorization delegation problem: an identity provider issues scoped, time-limited tokens that grant specific permissions without ever revealing the user's password to the application. Understanding the flow explains not just your Authentik setup but every "Login with Google" button on the web. > OAuth2 is about authorization. OpenID Connect is about identity. > > — KaiRenner · 24th of March 2026 Understand the Four Grant Types OAuth2 defines four grant types for different situations. The Authorization Code grant is for web apps and native apps: the app redirects to the identity provider, the user authenticates there, and a short-lived code is returned to the app. The Implicit g Follow the Full OIDC Authorization Code Flow A user clicks Login on your Nextcloud instance. Nextcloud redirects the browser to Authentik's authorization endpoint, appending the client ID, requested scopes (openid profile email), a redirect URI, a random state parameter, and a PKCE code challenge. T Understand JWT Structure The ID token returned by the flow is a JSON Web Token (JWT). A JWT has three parts separated by dots: header.payload.signature, each Base64URL-encoded. The header specifies the algorithm used for the signature (RS256 is common — RSA with SHA-256). The pay Know Which Token Does What The ID token proves who the user is. It is consumed by the application that requested it to establish a session. It should not be forwarded to other services. The access token grants access to an API on behalf of the user. It is sent in HTTP request heade Understand Why Each Step in the Flow Exists The state parameter is a random value the client generates and includes in the redirect to the identity provider. When the provider redirects back, it echoes the state. The client verifies it matches. This prevents CSRF attacks: an attacker cannot forge a > Never store access tokens or ID tokens in localStorage. JavaScript running on the same page — including third-party scripts from analytics providers, ads, or CDN-hosted libraries — can read localStorage and exfiltrate tokens silently. The secure storage option for web applications is an httpOnly, Secure, SameSite=Strict cookie, which is not accessible to JavaScript at all. Server-side session storage is even better. ## What Comes Next JWTs are signed with cryptographic keys, and the security of those signatures depends entirely on the algorithm chosen. Some historical JWT algorithm choices — notably the alg:none vulnerability and early RSA/HMAC confusion attacks — had serious weaknesses worth understanding. That leads naturally into the broader world of applied cryptography and why algorithm selection matters. ## Monitor Your Self-Hosted Infrastructure Set up Prometheus and Grafana to track uptime, resource usage, and service health across your entire home lab — with alerting so you know about problems before your family does. [slatesource.com](https://slatesource.com/s/991?utm_source=slatesource) [OAuth 2.0 specification and resources](https://oauth.net/2/?utm_source=slatesource)