qa.codes — API Testing Masterclass

OAuth 2.0 Flows Explained Simply

9 min read

OAuth 2.0 has a reputation for being complicated, and it earns that reputation honestly — it's a framework, not a single protocol, with multiple flows and dozens of optional extensions. The good news for QA engineers is that you don't need to understand every corner. You need to know enough to recognise which flow your API uses, get a token in your tests, and reason about what should happen when something goes wrong. This lesson cuts OAuth down to the parts that actually matter for testing.

What OAuth 2.0 solves

Plain authentication answers "who are you?" OAuth 2.0 answers a harder question: "How can a third-party app access my data on another service without my password?"

The classic example: a calendar app wants to read your Google Calendar. Without OAuth, you'd have to hand over your Google password — full access to your email, drive, photos, everything. With OAuth, you click "Sign in with Google," approve a specific scope ("read calendar events"), and the app gets a token limited to that scope. Your password never leaves Google.

That model — delegated, scoped, revocable authorisation — is now the standard for almost every modern public API.

The four players

Every OAuth flow involves four roles:

  • Resource Owner — you, the human user.
  • Client — the app asking for access (the calendar app, your test script, a microservice).
  • Authorization Server — the system that authenticates the user and issues tokens (Google's accounts.google.com, Auth0, Okta, your in-house SSO).
  • Resource Server — the API that holds the protected data (Google Calendar's API, your product API).

Mapping these onto your test setup early saves a lot of confusion later.

The flows that matter for QA

OAuth defines several flows. In practice you'll meet three:

Authorization Code Flow (web/mobile apps)

The flow used when a real user logs in via a browser:

The two-step nature (code first, token second) is what makes this flow secure — the short-lived code travels through the browser, but the long-lived token never does.

Client Credentials Flow (machine-to-machine)

The flow most QA automation actually uses. There is no human user — your test script is the client.

POST /oauth/token
Content-Type: application/x-www-form-urlencoded
 
grant_type=client_credentials
&client_id=test_app_42
&client_secret=secret_xyz
&scope=orders.read

The auth server replies with a token:

{
  "access_token": "eyJhbGciOiJI...",
  "token_type": "Bearer",
  "expires_in": 3600
}

You then use the token on every API call:

curl -H "Authorization: Bearer eyJhbGciOiJI..." https://api.example.com/orders

For test setup, this is nearly always the flow you want — no browser dance, no consent screens, fully automatable.

Resource Owner Password Flow (legacy)

The app sends the user's username and password directly to the auth server in exchange for a token. Officially deprecated; still found in internal tools where you need a "real user" token but don't want a browser. Avoid in new systems.

Tokens

The result of every OAuth flow is an access token. You attach it to API requests with:

Authorization: Bearer <access-token>

The "Bearer" word is part of the spec — anyone who bears the token can use it. That's why protecting the token in transit (HTTPS) and at rest (no logs, no localStorage in browsers when avoidable) matters.

Tokens have an expiry — usually 15 minutes to an hour. After that they stop working and you need a new one. Two ways to handle this:

  • Refresh tokens. A second, longer-lived token issued alongside the access token. Use it to get a new access token without re-authenticating.
  • Re-run the flow. For client-credentials this is cheap — just call the token endpoint again.

In test code, the simplest robust pattern is: get a token at the start of your suite, cache it, and refresh it lazily if a 401 comes back.

Scopes

Scopes define what the token is allowed to do. Common conventions:

  • orders.read — can read orders only.
  • orders.write — can read and modify orders.
  • admin — full access (use sparingly).

Tokens with the right scope succeed; tokens with the wrong scope return 403, even though the token itself is valid. As a tester, scope mismatch is a frequent source of "but it works for me" confusion — confirm you're testing with a token that has the scope the endpoint requires.

What to test

For an OAuth-protected endpoint:

  • Valid token, correct scope → 200.
  • Valid token, wrong scope → 403.
  • Expired token → 401.
  • Token issued by a different auth server (wrong iss claim) → 401.
  • Token meant for a different audience (wrong aud claim) → 401.
  • Token with tampered payload → 401 (signature check fails).
  • No token → 401.
  • Refresh flow works — get token, wait for expiry, refresh, use new token, succeed.
  • Revocation works — log out / revoke client → token immediately stops working (if your auth server supports active revocation; many don't, and rely on short expiries instead).

If you only had time for three of these, pick valid token success, expired token rejection, and wrong scope rejection — they cover the most common bugs.

A test setup pattern

A typical pattern for getting a token in a Python test suite:

import os, requests
 
def get_test_token():
    response = requests.post(
        os.environ["AUTH_TOKEN_URL"],
        data={
            "grant_type": "client_credentials",
            "client_id": os.environ["TEST_CLIENT_ID"],
            "client_secret": os.environ["TEST_CLIENT_SECRET"],
            "scope": "orders.read orders.write"
        },
        timeout=5
    )
    response.raise_for_status()
    return response.json()["access_token"]

The same shape — an HTTP POST with the four fields — works in every language. Treat it as a one-time helper your tests call once per run.

Don't try to learn OAuth fully on day one

OAuth has enormous surface area: PKCE, device flow, dynamic client registration, JWT-secured authorization requests, resource indicators. Almost none of it matters for the tests you'll write this week. Stick to the three flows above and you'll be productive across 95% of OAuth-protected APIs.

⚠️ Common mistakes

  • Confusing authentication and authorisation. Authentication = who you are (the token is valid). Authorisation = what you can do (the scope allows it). 401 vs 403 distinguishes them.
  • Re-authenticating on every request. Calling the token endpoint per API call is slow and gets you rate-limited. Get a token once, cache it, refresh on 401.
  • Storing client secrets in test code or VCS. Treat them like passwords. Env vars or secret manager only — never committed.

🎯 Practice task

Get a real OAuth token and use it. 30-40 minutes.

  1. Pick an API that uses OAuth — GitHub is a good starter. Create a personal access token (their simplified OAuth flow) with at least read:user scope.
  2. With curl, call GET https://api.github.com/user using Authorization: Bearer <your-token>. Confirm 200 and inspect the JSON.
  3. Try the same call with no token, an empty token, and Authorization: Bearer not-a-real-token. Note the status codes for each.
  4. Try a request that needs scopes you didn't grant (e.g. POST /user/repos without repo scope). Confirm 403, not 401.
  5. Open Authorization: Bearer <token> and copy your token to jwt.io. Note: GitHub tokens aren't JWTs (they're opaque) — the next lesson uses a JWT-issuing API instead.
  6. Stretch: sign up for a free Auth0 tenant (or use any test-friendly OAuth provider). Set up a "machine-to-machine" application, run the client-credentials flow with curl, and inspect the resulting JWT on jwt.io. You'll have practical experience of both flow types.

OAuth 2.0 won't be intimidating after you've run the flow once. The next lesson zooms in on the token format you just inspected: JWTs.

qa.codes/learn/api-testing-masterclass/oauth-2-flows

// tip to track lessons you complete and pick up where you left off across devices.