OAuth2 Flows

Cliff notes from Dominick Baier’s OAuth2 Flows.

Authorization Code Flow


Characters: web application (server-based) clients, confidential and secured client where nobody can see user credential, human involves, consent screen, authorization happens in authorization server.

Apply to: web applications


  1. Request authorization.
  2. Request token.
  3. Access resource.

Implicit Flow


Characters: native / local clients, user-agent based clients, human involves, consent screen, authorization happens in authorization servers.

Apply to: third party native applications (JavaScript application is included).


  1. Request authorization & token.
  2. Access resource.

Resource Owner Credential Flow


Characters: trusted clients, no human involvement, no consent screen, authorization happens in client.

Apply to: official native applications (JavaScript application included).


  1. Request token with resource owner credentials.
  2. Access resource.

Client Credential Flow


Characters: client to Service communication, no human involvement, no consent screen, authorization happens in client.

Apply to: machine to machine communication, service communication to authorization server without act as.


  1. Request token with client credentials.
  2. Access resource.

Assertion Flow


Characters: use one of the ‘core’ flows, access another trusted system (partner).

Apply to: translate between identity management system (ADFS’s saml to ThinkTecture’s jwt), communication with partner’s resources using client’s credential.


  1. Request token using ‘core’ flow (Authorization Code, Implicit, Resource Owner Credential, Client Credential).
  2. Request token using ‘assertion’ flow.
  3. Use token.

Learning Paths

With so many tutorials, articles and resources available out there on the Internet, learning new programming language, framework and library become much more easier. However, as much as its advantage, readily available resources have also become its own problem: where should I start?

With so many options available, it can be confusing to even start learning. I present you my learning paths to solve this problem. Learning paths will guide you through learning programs for each subject of your interests. Think of this as a curriculum to the degree you want to get.

Most of the courses are from Pluralsight.com, but this learning paths are not limited to just Pluralsight.com. I also include some free courses from other sources. While I understand that you may have to pay for some of these courses, I can assure you that paying the subscription is worth it (especially Pluralsight!).

I will update this learning paths to include more subjects and courses in the future. Stay tuned!


Level Course
0100 Get the Android SDK (http://developer.android.com/sdk/index.html)
0101 Prerequisite: 0100
Getting Started (http://developer.android.com/training/index.html)
0102 Introduction to Android Development (http://pluralsight.com/training/Courses/TableOfContents/android-intro)
0200 Prerequisite: 0101 or 0102
Android Async Programming and Services (http://pluralsight.com/training/Courses/TableOfContents/android-services)


Level Course
0100 AngularJS Fundamentals (http://pluralsight.com/training/Courses/TableOfContents/angularjs-fundamentals)
0200 Prerequisite: 0100
AngularJS In-Depth (http://pluralsight.com/training/Courses/TableOfContents/angularjs-in-depth)
0201 Prerequisite: 0100
Testing AngularJS From Scratch (http://pluralsight.com/training/Courses/TableOfContents/testing-angularjs-from-scratch)


Level Course
0100 ASP.NET MVC Fundamentals (http://pluralsight.com/training/Courses/TableOfContents/aspdotnet-mvc)
0200 Prerequisite: 0100
ASP.NET MVC 5 Fundamentals (http://pluralsight.com/training/Courses/TableOfContents/aspdotnet-mvc5-fundamentals)


Level Course
0100 Introduction to the ASP.NET Web API (http://pluralsight.com/training/Courses/TableOfContents/aspnetwebapi)
0200 Prerequisite: 0100
Web API v2 Security (http://pluralsight.com/training/Courses/TableOfContents/webapi-v2-security)
0201 Prerequisite: 0100
Web API Design (http://pluralsight.com/training/Courses/TableOfContents/web-api-design)


Level Course
0100 C# Basic (http://csharp-station.com/Tutorial/CSharp)
0101 C# From Scratch (http://pluralsight.com/training/Courses/TableOfContents/csharp-from-scratch)
0102 Prerequisite: 0101
C# From Scratch – Part 2 (http://pluralsight.com/training/Courses/TableOfContents/csharp-from-scratch-part2)
0200 Prerequisite: 0100 or 0102
Object-Oriented Programming Fundamentals in C# (http://pluralsight.com/training/Courses/TableOfContents/object-oriented-programming-fundamentals-csharp)

Entity Framework

Level Course
0100 Getting Started with Entity Framework 5 (http://pluralsight.com/training/Courses/TableOfContents/entity-framework5-getting-started)
0200 Prerequisite: 0100
Entity Framework Code First Migrations (http://pluralsight.com/training/Courses/TableOfContents/efmigrations)

JavaScript & jQuery

Level Course
0100 W3Schools’s JavaScript Tutorial (http://www.w3schools.com/js/default.asp)
0101 JavaScript Fundamentals (http://pluralsight.com/training/Courses/TableOfContents/jscript-fundamentals)
0120 Prerequisite: 0100 or 0101
DO Factory’s JavaScript + jQuery Design Pattern Framework – JavaScript & Pattern Essentials (http://www.dofactory.com/products/javascript-jquery-design-pattern-framework)
0200 Prerequisite: 0100 or 0101
JavaScript Design Patterns (http://pluralsight.com/training/Courses/TableOfContents/javascript-design-patterns)
0300 Prerequisite: 0200
jQuery Fundamentals (http://pluralsight.com/training/Courses/TableOfContents/jquery-fundamentals)

WIF, Claims-based Identity, OAuth2

Level Course
0100 Introduction to Identity and Access Control in .NET 4.5 (http://pluralsight.com/training/Courses/TableOfContents/iac-intro)
0200 Prerequisite: 0100
Identity and Access Control in ASP.NET 4.5 (http://pluralsight.com/training/Courses/TableOfContents/iac-aspnet)
0201 Prerequisite: 0100
Identity and Access Control in WCF 4.5 (http://pluralsight.com/training/Courses/TableOfContents/iac-wcf)
0202 Prerequisite: 0100
Web API v2 Security (http://pluralsight.com/training/Courses/TableOfContents/webapi-v2-security)
0300 Prerequisite: 0200 or 0201 or 0202
Introduction to OAuth2, OpenID Connect and JSON Web Tokens (JWT) (http://pluralsight.com/training/Courses/TableOfContents/oauth2-json-web-tokens-openid-connect-introduction)