Glossary

OAuth

TL;DR

OAuth is an open standard for access delegation that enables third-party applications to obtain limited access to user accounts without sharing passwords.


Concept

OAuth (Open Authorization) is an open standard for access delegation that allows third-party services to access user information without requiring users to share their credentials. It provides a secure and standardized way for applications to request and obtain access to resources hosted by web services.

Key components and concepts of OAuth include:

  1. Resource Owner: The user who authorizes an application to access their account.

  2. Client: The application that wants to access the user’s account.

  3. Authorization Server: The server that authenticates the resource owner and issues access tokens.

  4. Resource Server: The server hosting the protected resources, which accepts and validates access tokens.

  5. Access Token: A credential that represents the authorization to access specific resources on behalf of the resource owner.

OAuth 2.0, the most widely used version, defines several authorization flows:

  • Authorization Code Flow: Most common flow for web applications with server-side components
  • Implicit Flow: Used for browser-based applications (now largely replaced by Authorization Code with PKCE)
  • Client Credentials Flow: Used for server-to-server authentication
  • Resource Owner Password Credentials Flow: Direct exchange of credentials for tokens (discouraged)

The OAuth flow typically involves:

  1. Application requests authorization from the user
  2. User authenticates directly with the service provider
  3. User grants permission to the application
  4. Application receives an authorization code
  5. Application exchanges the authorization code for an access token
  6. Application uses the access token to access protected resources

OAuth is commonly used for:

  • Social login (signing in with Google, Facebook, etc.)
  • API access delegation
  • Single Sign-On (SSO) implementations
  • Third-party application integrations

Organizations use OAuth to enable secure third-party access to their services, implement social login functionality, and build federated identity solutions. It’s a fundamental technology for modern web and mobile applications that need to integrate with external services.