Image without description
  • Jacco Meijer
  • |
  • Mar 14, 2025

OAuth 2.0 and OpenID Connect Sequence Diagrams

Technical specs can be hard to read. While still highly technical, the UML Sequence Diagrams provided in this blog are a lot easier to understand.

Oauth 2.0 and OpenID Connect

Being able to read technical specs is a competence by itself. Visualized architectural models of a spec often help to understand the spec.

OAuth 2.0 Authorization Framework

The official specs of the OAuth 2.0 Authorization Framework as defined by RFC 6749 uses diagrams that look like this:

     +----------+
     | Resource |
     |   Owner  |
     |          |
     +----------+
          ^
          |
         (B)
     +----|-----+          Client Identifier      +---------------+
     |         -+----(A)-- & Redirection URI ---->|               |
     |  User-   |                                 | Authorization |
     |  Agent  -+----(B)-- User authenticates --->|     Server    |
     |          |                                 |               |
     |         -+----(C)-- Authorization Code ---<|               |
     +-|----|---+                                 +---------------+
       |    |                                         ^      v
      (A)  (C)                                        |      |
       |    |                                         |      |
       ^    v                                         |      |
     +---------+                                      |      |
     |         |>---(D)-- Authorization Code ---------'      |
     |  Client |          & Redirection URI                  |
     |         |                                             |
     |         |<---(E)----- Access Token -------------------'
     +---------+       (w/ Optional Refresh Token)

   Note: The lines illustrating steps (A), (B), and (C) are broken into
   two parts as they pass through the user-agent.

                     Figure 3: Authorization Code Flow

OpenID Connect 1.0

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. The diagrams in the official spec look very similar to the diagrams in RFC 6749:

+--------+                                   +--------+
|        |                                   |        |
|        |---------(1) AuthN Request-------->|        |
|        |                                   |        |
|        |  +--------+                       |        |
|        |  |        |                       |        |
|        |  |  End-  |<--(2) AuthN & AuthZ-->|        |
|        |  |  User  |                       |        |
|   RP   |  |        |                       |   OP   |
|        |  +--------+                       |        |
|        |                                   |        |
|        |<--------(3) AuthN Response--------|        |
|        |                                   |        |
|        |---------(4) UserInfo Request----->|        |
|        |                                   |        |
|        |<--------(5) UserInfo Response-----|        |
|        |                                   |        |
+--------+                                   +--------+

UML

UML Sequence Diagrams can be useful when explaining specs. This post uses PlantUML to generate Sequence Diagrams for the OAuth 2.0 and OpenID Connect specs.

OAuth 2.0 Obtaining Authorization Diagrams

From the spec:

To request an access token, the client obtains authorization from the resource owner. The authorization is expressed in the form of an authorization grant, which the client uses to request the access token. OAuth defines four grant types: authorization code, implicit, resource owner password credentials, and client credentials. It also provides an extension mechanism for defining additional grant types.

4.1 - Authorization Code Grant

Image without description

4.2 - Implicit Grant

Image without description

4.3 - Resource Owner Password Credentials Grant

Image without description

4.4 - Client Credentials Grant

Image without description

7 - Accessing Protected Resources

Image without description

OpenID Connect Diagrams

From the spec:

Appendix A. Authorization Examples. The following are non-normative examples of Authorization Requests with different response_type values and their responses.

A.1 - Example using response_type=code

Image without description

A.2 - Example using response_type=id_token

Image without description

A.3 - Example using response_type=id_token token

Image without description

A.4 - Example using response_type=code id_token

Image without description

A.5 - Example using response_type=code token

Image without description

A.6 - Example using response_type=code id_token token

Image without description

Other posts

Image without description

Visualizing IT Architecture in three languages, UML, C4 and ArchiMate

What are the differences and what are these languages most used for?

read more
Image without description

OAuth 2.0 and OpenID Connect Sequence Diagrams

Technical specs can be hard to read. While still highly technical, the UML Sequence Diagrams provided in this blog are a lot easier to understand.

read more
Image without description

UI Library with MDX documentation

Using the simple Render JSX plugin for Esbuild this post shows how to setup a simple UI library.

read more
Image without description

Render JSX plugin for Esbuild

Transform Esbuild generated JSX bundles to HTML pages.

read more
Image without description

Esbuild as a static site generator for MDX

Static site generators gain popularity. This blog is about using Esbuild as a static site generator for MDX.

read more
Image without description

11ty and Github pages

Simplifying the Contentful-Gatsby-Netlfy trio.

read more
Image without description

OWASP and CISSP

OWASP recommendations from the independent information security certification CISSP.

read more
Image without description

NPM7 and @npmcli/arborist

@npmcli/arborist is a powerful library that handles the new NPM 7 workspaces. This blog is about a simple make tool that uses the library.

read more
Image without description

Comparing React app, Nextjs and Gatsby

A new React project starts with a React toolchain. Main tools in the chains are SSR, React server components and GraphQL.

read more
Image without description

Versioning strategy for NPM modules

It is important to be able to bump the version of a NPM package without side effects.

read more
Image without description

React component themes and CSS variables

Creating React components with flexible themes by using CSS variables.

read more
Image without description

Content modeling with variants

The efficiency of a variant field in a content model.

read more
Image without description

Documentation

Documenting a software project is challenging. Here's a few simple guidelines that help a team writing clear documentation.

read more
Image without description

Javascript history

In 1986 David Ungar and Randall B. Smith developed Self at Xerox PARC. Inspired by Java, Scheme and Self Brendan Eich created Javascript in 1995.

read more
Image without description

On Javascript transpilers, bundlers and modules

There's Javascript transpilers, modules, bundles and bundlers. This is a brief overview of all of these.

read more
Image without description

Agile Scrum

The Agile Scrum framework is flexible enough to be used in many different ways. Here's one way of working.

read more
Image without description

What happened to Wheelroom?

Founded in 2018. Started to fly in 2020 and abandoned in 2021. What happened?

read more
Image without description

Contentful, Netlify and Gatsby four years later

What did we learn from using Contentful for four years?

read more
Image without description

Typescript interface for React UI components

How to define an interface for React UI components that prevents breaking changes.

read more
Image without description

Naming React components

What's in a name? A clear naming strategy helps developers communicate. Most devs rather spend time writing component code than wasting time on a good component name.

read more