FrontendInterviews.dev

OAuth 2.0 + OIDC + PKCE for Frontend Auth Flows

Medium•

OAuth 2.0

Delegated authorization

  • - Access tokens for APIs
  • - Not identity by itself

OIDC

Identity layer on OAuth

  • - id_token + user claims
  • - Discovery + JWKS validation

PKCE

Public-client proof

  • - Mitigates code interception
  • - Required for SPA/mobile

Session strategy

Runtime safety

  • - Short access token lifetime
  • - Refresh/revocation policy

Core Lens

Separate authorization from identity and enforce public-client constraints in browser apps.

Flow

Authorize→
Callback→
Code exchange→
Token/session lifecycle

OAuth and OIDC are protocol frameworks that define how applications delegate authorization and establish identity.

For frontend architecture, the important design questions are not just how to log a user in, but how to safely handle tokens, how to recover when tokens expire, and how to prevent browser runtime compromise from exposing credentials.

Strong frontend systems clearly separate responsibilities between the browser, the identity provider, and backend APIs.

Quick Navigation: OAuth Roles and System Boundaries • Authorization Code + PKCE Flow • OIDC: Identity Layer on Top of OAuth • Token Types and Responsibilities • SPA Security Model • Token Storage Tradeoffs • Architecture Pattern: Backend-for-Frontend (BFF) • Token Lifecycle and Reliability

Quick Decision Guide

Senior-Level Decision Guide:

- OAuth handles delegated authorization while OIDC provides identity. - Browser-based apps must use Authorization Code + PKCE instead of the deprecated implicit flow. - SPAs are public clients and cannot safely store client secrets. - Token exposure in browser storage increases XSS blast radius. - Token refresh and session rotation must be designed as reliability systems, not just security features.

OAuth Roles and System Boundaries

OAuth defines four core actors:

•Resource Owner (the user)
•Client (your frontend app)
•Authorization Server (identity provider)
•Resource Server (protected API)

In frontend interviews, a key point is recognizing that browser apps are public clients. Unlike backend services, they cannot safely hold confidential client secrets.

Authorization Code + PKCE Flow

Modern browser apps use the Authorization Code flow with PKCE.

High-level steps:

1. Client generates a code_verifier.

2. Derives a code_challenge from the verifier.

3. Redirects user to the authorization endpoint.

4. Identity provider redirects back with an authorization code.

5. Client exchanges the code and verifier for tokens.

PKCE ensures that the party initiating the authorization request is the same one completing the token exchange, protecting against intercepted authorization codes.

OIDC: Identity Layer on Top of OAuth

OAuth itself only describes authorization. OIDC extends OAuth to provide identity verification.

Key additions:

•id_token containing identity claims
•standardized discovery metadata
•JWKS key distribution
•userinfo endpoint

OIDC ensures the application can verify the authenticated user rather than simply receiving an authorization grant.

Token Types and Responsibilities

Typical OAuth/OIDC flows produce multiple tokens:

•Access token – used to call protected APIs
•Refresh token – used to obtain new access tokens
•ID token – contains authenticated user identity claims

Frontend architecture must treat these tokens differently based on sensitivity, lifetime, and intended usage.

SPA Security Model

Browsers are hostile runtime environments from a security perspective.

Risks include:

•XSS exposing tokens
•malicious browser extensions
•compromised third-party scripts

Because of this threat model, frontend applications should minimize token lifetime, limit token exposure in JavaScript-accessible storage, and rely on secure session mediation when possible.

Token Storage Tradeoffs

Common storage strategies include:

•in-memory storage
•secure cookies
•localStorage or sessionStorage

Each has tradeoffs:

•memory storage reduces persistence but requires refresh on reload
•cookies allow server mediation but require CSRF protection
•localStorage increases persistence but expands XSS attack surface

Staff-level answers describe the threat model rather than claiming a single universal best practice.

Architecture Pattern: Backend-for-Frontend (BFF)

Many large systems avoid storing OAuth tokens directly in the browser.

Instead, a backend-for-frontend service performs OAuth exchanges and stores tokens server-side. The browser receives a session cookie instead of raw provider tokens.

Benefits include:

•reduced token exposure
•centralized refresh logic
•simplified client logic

This pattern is common in enterprise systems with strict security requirements.

Token Lifecycle and Reliability

Authentication systems must handle token expiration and refresh safely.

Common problems include:

•silent refresh loops when refresh fails
•multiple tabs triggering concurrent refresh attempts
•expired tokens causing cascading API failures

Robust systems implement refresh coordination, retry limits, and clear fallback paths when authentication state becomes invalid.

Failure Modes and Production Pitfalls

Typical production incidents include:

•invalid callback URIs causing redirect loops
•missing state or nonce validation
•provider outages breaking refresh flows
•race conditions between multiple tabs refreshing tokens

Frontend engineers must design degraded behavior such as forced re-authentication when identity providers become unavailable.

Interview Rubric (Staff Level)

A strong interview answer should explain:

•OAuth vs OIDC responsibilities
•why SPAs are public clients
•how PKCE protects authorization code exchange
•token lifecycle and refresh strategies
•security implications of browser token storage
•architectural tradeoffs such as BFF patterns

Weak answers describe login redirects. Strong answers explain security boundaries and operational recovery behavior.

Key Takeaways

1OAuth provides authorization while OIDC adds identity verification.
2Authorization Code + PKCE is the modern baseline for browser authentication.
3SPAs are public clients and cannot safely store client secrets.
4Token storage decisions affect the XSS attack surface.
5BFF architectures reduce token exposure in the browser.
6Token refresh design affects both reliability and security.
7Staff-level answers emphasize threat modeling and failure handling.
Previous
Authentication Best Practices
Complete & Next
Authorization Best Practices