OAuth 2.0 Explained: From Authorization Codes to PKCE (The Complete Picture)

OAuth is everywhere and most developers use it without really understanding what's happening under the hood. You click "Sign in with Google," magic happens, and you're logged in. But when something breaks — a token expires, a redirect fails, a scope is wrong — you're suddenly debugging a protocol you never learned. I built OAuth integrations for years before I actually understood the full flow. Here's what I wish someone had explained from the start. The Four Actors OAuth has four players, and mixing them up is where most confusion starts: Resource Owner — that's you, the user. You own the data. Client — the app requesting access to your data. Could be a web app, mobile app, or CLI tool. Authorization Server — issues tokens after you grant permission. Google, GitHub, Auth0 — these run authorization servers. Resource Server — the API that holds your actual data. Sometimes this is the same company as the auth server, sometimes not. The whole point of OAuth: the Client gets limited access