I Thought OAuth Was Just Adding a Google Button. Turns Out It's a CSRF Problem Disguised as a Feature.

This is Part 2 of a 4-part series on building AuthShield - a production-ready standalone authentication microservice. This post covers the OAuth 2.0 implementation: Authorization Code Flow, PKCE, CSRF protection, and account linking. Part 1 is here: Why I Stopped Writing Auth Code for Every Project and Built AuthShield When I started implementing OAuth 2.0 in AuthShield, I thought it was going to be one of the easier parts. Add a Google button. Redirect the user. Get their email back. Done. I was wrong - not because OAuth is complicated, but because I did not understand what it actually is. I thought it was a login mechanism. It is not. OAuth 2.0 is an authorization framework, and almost every step in the flow exists to defend against a specific attack. Once I understood that, everything clicked. But getting there took more time than I expected. What OAuth 2.0 Actually Is Most engineers encounter OAuth for the first time through social login. Click "Sign in with Google," get redirected