qa.codes — OAuth 2.0 for QA
On this page5 sections
TerminologyIntermediate4-6 min reference

OAuth 2.0 for QA

OAuth 2.0 is an authorization framework — it grants an app limited access to a resource on a user's behalf. It is not authentication (that's OpenID Connect, layered on top). This is a tester-friendly lookup for the vocabulary and the checks you can safely run against an API. For deeper auth-security work, follow the links below.

Vocabulary

TermWhat it is
Resource OwnerThe user who owns the data
ClientThe app requesting access
Authorization ServerIssues tokens (e.g. login provider)
Resource ServerThe API holding the protected data
Access tokenShort-lived credential sent on API calls (Authorization: Bearer …)
Refresh tokenLong-lived credential used to get a new access token
ScopeThe specific permissions granted (e.g. read:orders)

Grant flows (which you'll meet)

FlowUsed byNote
Authorization Code + PKCEWeb & mobile appsThe default today; PKCE is required for public clients
Client CredentialsService-to-serviceNo user; app authenticates as itself
Device CodeTVs, CLIsUser authorizes on a second device
ImplicitlegacyDeprecated — flag if you see it
Resource Owner PasswordlegacyAvoid — app handles the raw password

What QA can safely verify

  • A valid token returns 200; a missing token returns 401.
  • A token with the wrong scope returns 403, not 200 with empty data.
  • An expired access token returns 401; the refresh flow then issues a new one.
  • A token for user A cannot read user B's resources (authorization, not just authentication).
  • Tokens are sent over HTTPS and not logged, in URLs, or in analytics.

When to use

Writing API tests around protected endpoints, reviewing an auth story, or sanity-checking scope/expiry behaviour. Keep destructive token-forgery and brute-force work to authorized security testing.

Common mistakes

  • Confusing 401 (not authenticated) with 403 (authenticated, not allowed).
  • Testing only the happy path — expiry, wrong scope, and cross-user access are where bugs hide.
  • Hard-coding a token that expires mid-run instead of refreshing it.
  • Assuming OAuth = login; without OIDC there is no verified user identity.

// Related resources

Security Testing

qa.codes/cheat-sheets/oauth-2-for-qa