Home

OAuth

OAuth is an open standard for access delegation. It enables a resource owner to authorize a client to access a protected resource on a server without sharing credentials. The framework specifies roles: resource owner (user), client (application), authorization server, and resource server, and describes how tokens grant access to restricted resources.

OAuth 1.0a, the original flavor, relies on cryptographic signatures and request tokens to authorize access. It

OAuth 2.0, published by the IETF in 2012 as a streamlined framework, decouples authorization from authentication

Security and best practices: use TLS for all transfers; define scopes to limit access; use PKCE for

Relation and usage: widely used for delegated access to APIs, including social login and cloud services. It

requires
the
client
to
sign
requests
using
secret
keys
and
to
exchange
a
request
token
for
an
access
token
after
user
authorization.
and
supports
multiple
grant
types.
The
most
common
flows
are
authorization
code
(often
with
PKCE
for
public
clients),
implicit,
client
credentials,
and
password
(the
latter
two
are
less
common
or
discouraged
for
security
reasons).
In
OAuth
2.0,
access
tokens
are
issued
by
the
authorization
server
and
presented
to
the
resource
server
to
access
protected
resources;
tokens
may
be
bearer
tokens.
Refresh
tokens
may
be
issued
to
obtain
new
access
tokens.
public
clients;
avoid
exposing
tokens;
rotate
and
revoke
tokens;
implement
token
introspection
and
audience
checks
when
possible.
is
maintained
as
an
open
standard
with
RFCs
such
as
RFC
6749
and
RFC
6750,
and
depends
on
evolving
security
considerations
and
ecosystem
tooling.