OAuth 2.0
OAuth 2.0 is an authorization framework that enables a user to grant a third-party application delegated access to resources on another service, without exposing their credentials; The client redirects the user to the authorization server, which authenticates the user and asks them to consent to requested scopes; OAuth 2.0 is the foundation for integrating with Google, GitHub, Stripe, and most major platforms
OAuth 2.0 is an authorization framework that enables a user to grant a third-party application delegated access to resources on another service, without exposing their credentials. It issues short-lived access tokens scoped to specific permissions rather than sharing passwords.
How it works
The client redirects the user to the authorization server, which authenticates the user and asks them to consent to requested scopes. Upon approval, the authorization server issues an authorization code that the client exchanges for an access token and, optionally, a refresh token.
Key facts
- Scopes: Define granular permissions granted to the client (for example, read:email, write:repo)
- Access token lifetime: Typically short-lived (minutes to hours) to limit exposure if leaked
- Refresh token: Long-lived token used to obtain new access tokens without user re-authentication
For builders
OAuth 2.0 is the foundation for integrating with Google, GitHub, Stripe, and most major platforms. Implementing it correctly, including state parameter validation and PKCE for public clients, prevents authorization code interception attacks.
Sources
- IETF. RFC 6749: The OAuth 2.0 Authorization Framework. datatracker.ietf.org
- IETF. RFC 7519: JSON Web Token (JWT). datatracker.ietf.org
- IETF. RFC 8725: JSON Web Token Best Current Practices. datatracker.ietf.org
- OWASP. API Security Top 10 (2023). owasp.org
- OpenID Foundation. OpenID Connect specification. openid.net
