What Is OAuth?
Learn what OAuth is, how the Authorization Code flow works, and how scoped tokens let apps access data without your password.
Expected Interview Answer
OAuth is an authorization framework that lets a user grant a third-party application limited access to their resources on another service, without ever sharing their password with that application.
Instead of handing a client app your username and password, OAuth has you authenticate directly with the resource owner (say, Google), which then issues a scoped, time-limited access token to the client. The client uses that token to call APIs on your behalf, and the token can be revoked or expire without ever exposing your credentials. The most common flow, Authorization Code, involves the client redirecting you to the provider, you approving specific scopes, the provider redirecting back with a code, and the client exchanging that code server-side for an access token. OAuth is about authorization ("what can this app do"), which is often confused with authentication ("who are you") — OpenID Connect layers identity on top of OAuth to solve that separately.
- User never shares their password with the third-party app
- Access can be scoped to specific permissions
- Tokens can be revoked or expired independently of the password
- Enables secure single sign-on and delegated API access
AI Mentor Explanation
OAuth is like a stadium issuing a limited-access pass instead of giving a vendor your house key. You tell the gate office exactly what the vendor may access — say, the concession area only — and the office hands the vendor a badge with that scope and an expiry time. The vendor never learns your personal identity card details; they just carry the badge whenever they need entry. That scoped, revocable, credential-free access is exactly what OAuth provides an app.
Step-by-Step Explanation
Step 1
Client redirects to authorization server
The app sends the user to the provider’s login/consent screen with requested scopes.
Step 2
User authenticates and approves scopes
The user logs in directly with the provider and approves the specific permissions requested.
Step 3
Provider returns an authorization code
The provider redirects back to the client with a short-lived code.
Step 4
Client exchanges code for a token
The server-side client swaps the code for an access token (and refresh token) via a secure backend call.
What Interviewer Expects
- Clear distinction between authorization and authentication
- Understanding of the Authorization Code flow end to end
- Awareness of scopes, tokens, and revocation
- Mention of OpenID Connect for identity on top of OAuth
Common Mistakes
- Confusing OAuth (authorization) with authentication outright
- Storing access tokens insecurely (e.g., in localStorage for sensitive apps)
- Skipping the state parameter, opening the door to CSRF attacks
- Requesting overly broad scopes instead of least privilege
Best Answer (HR Friendly)
“OAuth lets you use one app while giving it limited permission to another service, like letting a photo app post to your social media, without ever sharing your password with that app. You approve exactly what it can do, and you can revoke that access anytime.”
Code Example
async function exchangeCodeForToken(code) {
const response = await fetch('https://provider.example.com/oauth/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'authorization_code',
code,
redirect_uri: 'https://app.example.com/callback',
client_id: process.env.CLIENT_ID,
client_secret: process.env.CLIENT_SECRET,
}),
})
return response.json() // { access_token, refresh_token, expires_in }
}Follow-up Questions
- What is the difference between OAuth and OpenID Connect?
- What is the purpose of the state parameter in OAuth flows?
- How do refresh tokens differ from access tokens?
- What is PKCE and why is it needed for public clients?
MCQ Practice
1. What does OAuth primarily provide?
OAuth is an authorization framework granting scoped access without exposing credentials.
2. In the Authorization Code flow, what does the client exchange for an access token?
The provider issues a temporary code that the client swaps server-side for a token.
3. What layers identity/authentication on top of OAuth?
OpenID Connect adds an ID token and standardized identity claims on top of OAuth 2.0.
Flash Cards
What does OAuth grant? — Scoped, delegated authorization without sharing the user’s password.
What does the client get after the flow? — A time-limited access token (and often a refresh token).
What is a scope? — A specific permission the user approves, like read-only access to profile data.
OAuth vs authentication? — OAuth handles authorization; OpenID Connect adds authentication/identity.