What is OAuth?
OAuth (Open Authorization) is an open standard authorization protocol that allows users to grant third-party applications limited access to their resources without sharing their credentials. It enables secure delegated access through access tokens.
Quick Facts
| Full Name | Open Authorization |
|---|---|
| Created | 2007 (OAuth 1.0), 2012 (OAuth 2.0 RFC 6749) |
| Specification | Official Specification |
How It Works
OAuth works by issuing access tokens to third-party clients with the approval of the resource owner. The most common flow (Authorization Code) involves redirecting users to the authorization server, where they authenticate and approve access. The server then returns an authorization code, which is exchanged for an access token. OAuth 2.0 is the current version, widely used by Google, Facebook, GitHub, and other major platforms for API access and social login. OAuth 2.1 consolidates best practices from OAuth 2.0 extensions, mandating PKCE (Proof Key for Code Exchange) for all clients, deprecating the implicit grant, and requiring exact redirect URI matching. PKCE prevents authorization code interception attacks by using a cryptographic code verifier, making it essential for mobile and single-page applications.
Key Characteristics
- Token-based authorization (not authentication)
- Supports multiple grant types (Authorization Code, Client Credentials, etc.)
- Scopes define the level of access granted
- Refresh tokens for obtaining new access tokens
- Separation of roles: Resource Owner, Client, Authorization Server, Resource Server
- HTTPS required for security
Common Use Cases
- Social login (Sign in with Google/Facebook/GitHub)
- Third-party API access
- Mobile app authentication
- Microservices authorization
- Single Sign-On (SSO) implementations
Example
Loading code...Frequently Asked Questions
What is the difference between OAuth and authentication?
OAuth is an authorization protocol, not an authentication protocol. Authentication verifies who you are (identity), while authorization determines what you can access (permissions). OAuth allows users to grant third-party applications limited access to their resources without sharing passwords. For authentication, OpenID Connect (OIDC) is built on top of OAuth 2.0, adding an identity layer to provide user authentication.
What are the different OAuth 2.0 grant types?
OAuth 2.0 defines several grant types: Authorization Code (most secure, for server-side apps), Authorization Code with PKCE (for mobile/SPA apps), Client Credentials (for machine-to-machine), Implicit (deprecated, was for browser apps), and Resource Owner Password (legacy, not recommended). The Authorization Code flow with PKCE is now recommended for most applications, including mobile and single-page apps.
What is PKCE and why is it important?
PKCE (Proof Key for Code Exchange) is a security extension that protects the authorization code flow from interception attacks. It works by having the client generate a random code verifier and its transformed code challenge. The challenge is sent with the authorization request, and the verifier is sent when exchanging the code for tokens. This ensures that only the original client can complete the flow, even if the authorization code is intercepted.
What is the difference between access tokens and refresh tokens?
Access tokens are short-lived credentials used to access protected resources (APIs). They typically expire in minutes to hours. Refresh tokens are long-lived credentials used to obtain new access tokens without requiring user interaction. This separation improves security: if an access token is compromised, it's only valid briefly, while refresh tokens can be stored more securely and revoked if needed.
How do OAuth scopes work?
Scopes define the specific permissions an application is requesting. When a user authorizes an application, they see what scopes are being requested (e.g., 'read:user', 'write:repos'). The authorization server includes the granted scopes in the access token. Resource servers then check these scopes to determine if a request should be allowed. This enables fine-grained access control and follows the principle of least privilege.