O
OAuth 2.0
OAuth 2.0 is an authorization framework that enables third-party applications to obtain limited access to user accounts.
What is OAuth 2.0?
OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the account.
OAuth 2.0 Flows
- Authorization Code: For web apps with backend
- Authorization Code + PKCE: For SPAs and mobile apps
- Client Credentials: For machine-to-machine
- Device Code: For devices with limited input
- Refresh Token: Obtain new access tokens
OAuth Roles
Resource Owner (user), Client (application), Authorization Server, and Resource Server.
Common Misconceptions
- "OAuth is authentication" - It's authorization (use OIDC for auth)
- "Access tokens are JWTs" - Format not specified
- "OAuth is complex" - Well-defined patterns exist