Home/Tools/OAuth/OIDC Debugger

OAuth/OIDC Debugger

Comprehensive OAuth 2.0 and OpenID Connect debugging tool. Decode JWT tokens, generate PKCE challenges, test authorization flows, validate redirect URIs, and troubleshoot common OAuth errors - all in your browser.

🔒 All decoding happens in your browser - tokens are never sent to any server

Need Professional Security Services?

Our cybersecurity experts can help protect your business with comprehensive security solutions.

Get Security AssessmentView Services

What is OAuth 2.0 and OpenID Connect?

OAuth 2.0 is an industry-standard protocol for authorization that enables applications to obtain limited access to user accounts on third-party services (like Google, Microsoft, GitHub) without exposing passwords. OAuth uses access tokens instead of credentials.

OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0 that adds identity verification. While OAuth handles authorization (permissions), OIDC handles authentication (identity). It introduces ID tokens (JWTs) containing user identity information.

Understanding JWT Tokens

JSON Web Tokens (JWT) are compact, URL-safe tokens consisting of three Base64-encoded parts (header.payload.signature) separated by dots. JWTs contain claims about a user and can be cryptographically signed to verify authenticity and prevent tampering.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U

Token Structure:

  • Header: Algorithm and token type (e.g., { "alg": "RS256", "typ": "JWT" })
  • Payload: Claims about the user (e.g., { "sub": "user123", "email": "[email protected]" })
  • Signature: Cryptographic signature to verify token authenticity

PKCE Explained

PKCE (Proof Key for Code Exchange) is a security extension to OAuth 2.0 (RFC 7636) that prevents authorization code interception attacks. It's required for mobile and single-page applications; recommended for all OAuth clients.

How PKCE Works:

  1. App generates random code_verifier (43-128 characters)
  2. App computes code_challenge = SHA256(code_verifier)
  3. Send challenge in authorization request
  4. Send verifier in token exchange
  5. Server verifies that SHA256(verifier) matches the challenge

This ensures that only the app that started the authorization flow can exchange the code for tokens, even if the authorization code is intercepted.

Common OAuth Flows

Authorization Code Flow

Most secure flow for server-side applications. The client exchanges an authorization code for tokens. Requires client secret. Best for confidential clients that can securely store secrets.

Authorization Code Flow with PKCE

Secure flow for public clients (mobile apps, SPAs) that cannot securely store client secrets. Uses PKCE to prevent code interception. Recommended for all modern applications.

Client Credentials Flow

For machine-to-machine (service-to-service) authentication. No user interaction. App authenticates with client_id and client_secret to get an access token.

Implicit Flow (Deprecated)

Legacy flow for SPAs that returns tokens directly in the URL fragment. Deprecated due to security concerns. Use Authorization Code Flow with PKCE instead.

Security Best Practices

  • Use PKCE for all OAuth clients, not just public clients
  • Short-lived tokens: Access tokens should expire in 15-60 minutes
  • Validate state parameter: Prevents CSRF attacks in authorization flow
  • Exact redirect URI matching: Don't use wildcards or regex
  • Verify token signatures: Always validate JWT signatures before trusting claims
  • Check token expiration: Verify exp claim and reject expired tokens
  • Use HTTPS: Never use OAuth over unencrypted HTTP in production
  • Secure token storage: Store tokens securely, never in localStorage (use httpOnly cookies or secure storage)

Troubleshooting OAuth Errors

OAuth errors can be cryptic. Here are the most common ones and quick fixes:

invalid_grant

Usually means: (1) code expired, (2) code already used, or (3) redirect_uri mismatch

invalid_client

Check your client_id and client_secret. Verify they match your provider dashboard.

unauthorized_client

Client not configured for this grant type or redirect URI not registered

access_denied

User clicked "Deny" on consent screen or lacks permission for requested scopes

Use the Error Debugger tab for detailed troubleshooting with step-by-step solutions ranked by likelihood.

Frequently Asked Questions

Common questions about the OAuth/OIDC Debugger

Paste your JWT token into the "JWT Decoder" tab. The tool will automatically decode the header, payload, and signature. You'll see all claims with syntax highlighting, validation status, and expiration warnings. Optionally provide a secret to verify the signature. All decoding happens in your browser - tokens are never sent to any server.

Explore More Tools

Continue with these related tools

Security
🔐

Password Strength Checker

Test your password strength and get recommendations for improvement

Try it now
Security
🔑

Password Generator

Generate secure random passwords with customizable options

Try it now
Security
🔍

CVE Vulnerability Search

Search and analyze CVE vulnerabilities with CVSS calculator

Try it now

⚠️ Security Notice

This tool is provided for educational and authorized security testing purposes only. Always ensure you have proper authorization before testing any systems or networks you do not own. Unauthorized access or security testing may be illegal in your jurisdiction. All processing happens client-side in your browser - no data is sent to our servers.