OAuth 2 Grant Type

Excellent 👏 — you’re referring to OAuth 2.0 Grant Types and their Flows, which are essential in any microservices modernization or cloud-native banking platform, especially when integrating with Azure AD, Keycloak, or Auth0.

Let’s go step-by-step — covering what each grant type is, how the flow works, when to use it, and how it fits into your microservices or API gateway design.

🔐 1. What Are “Grant Types”?

A grant type defines how a client (frontend or service) obtains an access token from the Authorization Server (Identity Provider) in OAuth 2.0.

Each type suits a different client:

• Browser-based SPA (React/Angular)

• Mobile App

• Backend microservice

• Machine-to-Machine (M2M)

• Legacy app migrating to modern security

🧩 2. The Main OAuth 2.0 Grant Types

🔄 3. Authorization Code Flow (with PKCE)

🔧 Use Case:

User authenticates via browser — typical for React/Angular frontend calling Spring Boot microservices.

🧭 Flow Steps

1. Frontend → Auth Server (Azure AD / Keycloak)Redirect user to /authorize endpoint with:

   response_type=code client_id=web-app redirect_uri=https://app/callback code_challenge=<PKCE_HASH>

2. User logs in (via Azure AD or Keycloak login UI)

3. Auth Server → FrontendRedirects back with authorization_code.

4. Frontend → Auth Server (Token Endpoint)Exchanges the code + PKCE verifier for:

   • access_token

   • refresh_token

5. Frontend → API Gateway / MicroserviceSends API call with:

   Authorization: Bearer <access_token>

6. Microservice validates token (using public key / introspection).

🔒 Security:

• PKCE = Proof Key for Code Exchange (prevents code interception).

• Never exposes tokens in browser URLs.

• Most secure for user-facing applications.

⚙️ 4. Client Credentials Flow (Service-to-Service)

🔧 Use Case:

Microservice A calls Microservice B securely — common in microservices ecosystems.

🧭 Flow Steps

1. Service A → Auth ServerSends:

   grant_type=client_credentials client_id=service-a client_secret=abc123

2. Auth Server → Service AReturns access_token.

3. Service A → Service BSends request with:

   Authorization: Bearer <access_token>

4. Service B validates token using public keys (JWKS) or introspection endpoint.

🔒 Security:

• Token represents the service identity, not a user.

• Best for internal APIs, Kafka consumers, or background batch jobs.

• Tokens often scoped (e.g., scope=loan:read).

🧰 5. Resource Owner Password Credentials (ROPC) Flow

⚠️ Deprecated — Use Only for Legacy Integration

🔧 Use Case:

Legacy EJB/Oracle UI directly collects username/password (no browser redirect).

🧭 Flow Steps

1. Client → Auth Server

   grant_type=password username=user1 password=pass123 client_id=legacy-app

2. Auth Server → ClientReturns access_token.

3. Client uses token to access microservices.

🔒 Security:

• Insecure: app handles raw credentials.

• Use only as temporary workaround during modernization.

• Replace with Authorization Code + PKCE as soon as possible.

🔁 6. Refresh Token Flow

Used to get new access tokens without re-login.

🧭 Flow Steps

1. Client already has a valid refresh_token.

2. Client → Auth Server

   grant_type=refresh_token refresh_token=<token>

3. Auth Server → ClientReturns new access_token.

🔒 Security:

• Refresh tokens should be stored securely (encrypted).

• In mobile/browser, use short-lived access tokens and silent refresh.

📺 7. Device Code Flow

Used for devices without browser or keyboard (e.g., ATM terminal, TV app).

🧭 Flow Steps:

1. Device requests a device code.

2. User logs in via browser (on another device).

3. Device polls for token.

4. Auth server issues access token.

⚙️ 8. How These Fit in Microservices Architecture

🔐 9. Token Validation Patterns

🧱 10. Example: Banking Microservices Flow

[User] → [React App]
   ↓ (Auth Code + PKCE)
[Azure AD / Keycloak] → Issues access_token (JWT)
   ↓
[API Gateway] → Validates JWT (scope: loan:write)
   ↓
[Loan-Service] → Calls Credit-Service
   ↓ (Client Credentials)
[Auth Server] → Issues service token (scope: credit:read)
   ↓
[Credit-Service] → Returns credit score

🧩 11. Tools & Frameworks

🧠 12. Interview-Ready Summary

🧩 Context

In OAuth 2.0 or OpenID Connect, tokens (access tokens, refresh tokens, ID tokens) are what let users or systems access protected APIs.Because they are bearer tokens — anyone who has them can use them — securing them is critical.

⚠️ 1️⃣ Common Token Attack Scenarios

🛡️ 2️⃣ Core Token Protection Mechanisms

✅ (a) Use HTTPS/TLS for every token exchange

Never exchange tokens over HTTP. Enforce TLS 1.2+.

✅ (b) Use short-lived access tokens

• Keep access tokens valid for 5–15 minutes only.

• Combine with refresh tokens that are bound and revocable.

✅ (c) Implement Proof-of-Possession (DPoP) or mTLS

Instead of a plain bearer token, bind tokens to a client certificate or key.

✅ (d) Use PKCE (Proof Key for Code Exchange) for public clients

Prevents code interception attacks in mobile or SPA flows.

Flow:

1. Client generates code_verifier and hash code_challenge.

2. Sends code_challenge in /authorize request.

3. Later, exchanges code for token using code_verifier.→ Attacker who intercepts authorization code cannot use it.

✅ (e) Use audience & issuer validation

APIs must verify that:

• The token’s aud (audience) matches their API identifier.

• The token’s iss (issuer) is the trusted authorization server.

✅ (f) Use JWT signature and encryption

• Access tokens are JWTs signed with private key (RS256 or ES256).

• APIs validate signature before trusting claims.

• Optionally, encrypt tokens (JWE) if sensitive info exists.

✅ (g) Token storage hygiene

For browser apps:

• Never store tokens in localStorage or sessionStorage.

• Use HTTP-only secure cookies.For backend or mobile apps:

• Use secure OS keystore / vaults (e.g., Azure Key Vault, AWS Secrets Manager).

✅ (h) Rotate keys (JWKS rotation)

Use short-lived signing keys, rotate frequently via JWKS endpoint.Invalidate old tokens after rotation if possible.

✅ (i) Centralized token introspection and revocation

• Maintain introspection endpoint (/introspect) to validate tokens.

• Use refresh token rotation — issue new refresh token each time.

✅ (j) Threat detection

• Detect token anomalies: usage from multiple IPs, geographies, or devices.

• Use SIEM tools (e.g., Azure Sentinel, Splunk) to correlate anomalies.

🧰 3️⃣ Practical Example (Banking Microservices)

🧠 4️⃣ In summary:

To prevent token hacking:

Short version:

Perfect 👍 — here’s a secure OAuth 2.0 Authorization Code Flow with PKCE + mTLS + Refresh Token Rotation sequence, commonly used in banking microservices where security and compliance are critical.

🧩 Actors

• 👤 User (Customer)

• 🌐 Frontend App (Public Client - SPA or Mobile)

• 🔐 Authorization Server (e.g., Azure AD / Keycloak / PingID)

• 🚪 API Gateway

• ⚙️ Microservice (e.g., Account / Loan Service)

• 🧱 mTLS + Token Introspection Service

🔄 Sequence Diagram (Text Representation)

User              Frontend App              Auth Server               API Gateway           Microservice
 |                     |                         |                          |                      |
 |-- 1. Login Request ->|                         |                          |                      |
 |                     |-- 2. /authorize?code_challenge -->|                 |                      |
 |                     |                         |-- 3. Authenticates user  |                      |
 |                     |                         |<-- 4. Auth code ---------|                      |
 |                     |-- 5. /token (code_verifier + mTLS cert) ----------->|                      |
 |                     |                         |-- 6. Validate cert (mTLS)                        |
 |                     |                         |-- 7. Issue short-lived JWT Access Token & Refresh|
 |                     |<------------------------|                         |                      |
 |                     |-- 8. API Call (Bearer token + DPoP/mTLS) --------->|                      |
 |                     |                         |-- 9. Validate JWT (iss, aud, exp, sig)          |
 |                     |                         |-- 10. Token introspection (optional) ----------->|
 |                     |                         |                          |-- 11. Validate active token |
 |                     |                         |                          |<-- 12. OK --------------|
 |                     |                         |-- 13. Forward request -------------------------->|
 |                     |                         |                          |--> 14. Process request |
 |                     |                         |                          |<-- 15. Response -------|
 |<-----------------------------------------------------------------------------------------------|
 |                     |                         |                          |                      |
 |-- 16. After expiry, /token (refresh) with rotation --------------------->|                      |
 |                     |                         |-- 17. Revoke old refresh token                  |
 |                     |                         |-- 18. Issue new Access + Refresh Token ---------|
 |                     |<------------------------|                         |                      |

🔒 Key Security Elements

⚙️ Example Access Token (JWT Claims)

{
  "iss": "https://auth.bank.com",
  "sub": "user123",
  "aud": "https://api.bank.com/account",
  "exp": 1739980800,
  "client_id": "bank-frontend-app",
  "cnf": {
    "x5t#S256": "abc123xyz"  // Certificate thumbprint for mTLS binding
  },
  "scope": "read:account write:transfer"
}

🧰 Tools Used in Implementation

🧠 Outcome

✅ Secure against token theft, replay, interception, and misuse.✅ Meets RBI/SEBI data protection & security guidelines.✅ Enables zero-trust microservice-to-microservice communication.