Skip to content
Pricing RU Sign In
RU

How to Set Up an OAuth 2.0 Provider

By · Updated
Key idea:

OAuth 2.0 provider setup enables "Login with Google/GitHub/VK" in your app. For web: Authorization Code flow. For SPA/mobile: Authorization Code + PKCE (RFC 7636). Process: register OAuth app at provider, get client_id + client_secret, redirect URI setup, exchange code for access_token, fetch user profile.

Below: step-by-step, working examples, common pitfalls, FAQ.

Try it now — free →

Step-by-Step Setup

  1. Pick provider(s): Google, GitHub, VK, Yandex. Register OAuth app
  2. Set redirect URI (callback): https://example.com/oauth/callback
  3. Store client_id and client_secret in env/secrets (not git!)
  4. Generate URL on login page: https://provider.com/oauth/authorize?client_id=X&redirect_uri=...&scope=email&state=RANDOM
  5. Handle callback: exchange code for access_token at provider token endpoint
  6. With access_token fetch user profile: GET https://provider.com/api/user
  7. Create/update local user, log them in. Store refresh_token for renewal

Working Examples

ScenarioConfig
Google OAuth — authorize URLhttps://accounts.google.com/o/oauth2/v2/auth?client_id=CLIENT_ID&redirect_uri=REDIRECT&scope=openid email profile&response_type=code&state=RANDOM
GitHub token exchangePOST https://github.com/login/oauth/access_token\n client_id=X&client_secret=Y&code=Z&redirect_uri=REDIRECT
PKCE for SPAcode_verifier = base64url(random(32)) code_challenge = base64url(sha256(code_verifier)) # authorize URL + code_challenge + code_challenge_method=S256
PHP pseudo-code (Authlib)$client = new GoogleClient($clientId, $secret); $url = $client->getAuthUrl($redirectUri); $token = $client->exchangeCode($_GET['code']); $user = $client->getUser($token);
State validationsession_start(); $_SESSION['oauth_state'] = bin2hex(random_bytes(16)); # in callback: hash_equals($_SESSION['oauth_state'], $_GET['state'])

Common Pitfalls

  • client_secret in JS/mobile app — leak + attacker can mint tokens
  • No state parameter — CSRF attack (attacker triggers login to their account)
  • No PKCE for SPA/mobile — code interception possible (e.g. other app)
  • Accepting any email from provider — attacker registers provider account with your email
  • Not verifying email (email_verified=false in JWT) — identity spoofing

Related guides

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Related tools

SSL CheckPageSpeedMixed ContentHealth Score

Learn more

How-to

Glossary

Research

Alternatives

Frequently Asked Questions

OAuth 2.0 vs OpenID Connect?

OAuth 2.0 — authorization only. OpenID Connect — identity layer atop OAuth, returns an <code>id_token</code> (JWT) with user claims.

Is Implicit flow still used?

No, deprecated since 2019. Always Authorization Code + PKCE for SPA/mobile.

Where to store the refresh token?

Server-side (session/database). Never in localStorage/JS-accessible cookies. Only httpOnly cookie or server storage.

How to test an OAuth flow?

postmaster.google.com → OAuth 2.0 Playground. Or <a href="/en/jwt">Enterno JWT decoder</a> to inspect the access_token.

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation