Companion posts for oauth-lab on GitHub: incremental Flask snapshots from authorization code flow through JWKS and RS256. Read in order.

1. v01 – Learning OAuth 2 by Building It, One Version at a Time
2. v02 – Adding OAuth State to Stop CSRF
3. v03 – Adding PKCE to Stop Authorization Code Interception
4. v04 – Using the Access Token on a Protected API
5. v05 – Refresh Tokens and Silent Re-authentication
6. v06 – Splitting the Auth Server from the Resource Server
7. v07 – Adding OpenID Connect on Top of OAuth 2
8. Intermission – What Industry Ships and Who Gets Paid
9. v08 – JWKS and RS256: Dropping the Shared JWT Secret

A note on usage of LLMs #

These posts and the oauth-lab repo were written while I was learning OAuth and OIDC myself. I used LLMs heavily: boilerplate and styling in the Flask apps, RFC lookups, diagram and table formatting, prose cleanup, and (in the intermission post) market research and reference gathering.

The protocol flow, security tradeoffs, and what each version adds are things I built and debugged by hand. When something in a post reads too polished or too generic, that is probably the model; when it describes a bug I hit or a /debug/state dump that looked wrong, that is me.

Treat vendor numbers and analyst figures as snapshots, not gospel. Verify anything you plan to rely on against primary sources. If you spot an error, open an issue or tell me.