100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Web

OAuth

IntermediateProtocol4.5K learners

OAuth is an open standard authorization protocol that lets a user grant a third-party application limited access to their resources on another service, without sharing their password with that application.

Definition

OAuth is an open standard authorization protocol that lets a user grant a third-party application limited access to their resources on another service, without sharing their password with that application.

Overview

OAuth (currently OAuth 2.0, with OAuth 2.1 consolidating security best practices) solves a specific problem: how does a user let one application access their data on another service — like letting a photo-printing app read their Google Photos — without handing over their actual login credentials? Instead of a password, the resource owner authorizes an application to receive a scoped, time-limited access token, which the application then presents to the resource server on the user's behalf. The protocol defines several roles — resource owner, client application, authorization server, and resource server — and several "grant types" for different scenarios: the authorization code flow (the standard for web and mobile apps, often paired with PKCE for public clients), the client credentials flow (for machine-to-machine access with no user present), and others. In the typical flow, the user is redirected to the authorization server, logs in and approves the requested scopes, and is redirected back to the client application with an authorization code that is exchanged for an access token — and often a refresh token used to obtain new access tokens without re-prompting the user. OAuth itself is an authorization protocol, not an authentication one; it says what an app is allowed to do, not who the user is. That distinction is why OpenID Connect was built as an identity layer on top of OAuth 2.0, and why access tokens issued by an OAuth flow are frequently formatted as a JSON Web Token (JWT). Nearly every "Sign in with Google/GitHub/Microsoft" button on the web is powered by OAuth under the hood, making it foundational to understand alongside REST API design and session management.

Specification

  • Separates authorization (what an app can access) from the user's actual credentials
  • Issues short-lived, scoped access tokens instead of sharing passwords
  • Supports multiple grant types for web apps, mobile apps, and server-to-server calls
  • Refresh tokens allow renewing access without re-prompting the user
  • PKCE extension protects public clients (mobile/SPA) from authorization code interception
  • Scopes let users approve fine-grained, limited permissions rather than all-or-nothing access
  • Forms the basis for most social "Sign in with..." login buttons
  • Extended by OpenID Connect to add a standardized identity/authentication layer

Use Cases

Letting third-party apps access a user's calendar, contacts, or files with limited scope
Implementing "Sign in with Google/GitHub/Microsoft" style social login
Granting CI/CD pipelines scoped, revocable access to cloud provider APIs
Allowing mobile apps to call backend APIs on behalf of a logged-in user
Enabling machine-to-machine authorization between backend services
Powering delegated access in API marketplaces and developer platforms

History

OAuth began as a community effort to solve delegated access — letting one application act on a user's behalf on another service without sharing passwords. The OAuth 1.0 specification was finalized in 2007 and later published by the IETF as RFC 5849 in 2010. Its request-signing scheme, with nonces and timestamps, proved operationally complex, and the IETF OAuth Working Group responded with a ground-up redesign: OAuth 2.0, published as RFC 6749 in October 2012. OAuth 2.0 replaced cryptographic signing with bearer tokens over TLS and defined distinct authorization flows (grant types) for web, mobile, and server-to-server clients. It is not backward compatible with 1.0, and it underpins the "Sign in with…" and API-authorization patterns used across the modern web.

Frequently Asked Questions