If you've ever plugged in django-allauth, django-oauth-toolkit, or python-social-auth and just trusted it to "handle OAuth" — this video is worth a watch.

Understanding what's happening under the hood makes debugging auth issues in Django a lot less painful.

The video covers:

• The full Authorization Code Flow — what each request/response actually does
• Why PKCE exists and what attack it prevents (auth code interception)
• How code_verifier and code_challenge work cryptographically
• The difference between confidential clients (your Django backend) and public clients (SPAs, mobile)
• How Bearer tokens are issued and validated

Especially relevant if you're building a Django REST API with a separate frontend that handles OAuth login.

https://youtu.be/gEIfV3ZSt-8?si=HgbqVbJrKRYrmQpw

Happy to discuss how this maps to Django-specific implementations in the comments.