Home

OAuth2

OAuth 2.0 is an authorization framework that enables a resource owner to grant a client limited access to protected resources on a resource server, by means of an access token issued by an authorization server. It is designed to support delegated access across applications and services without sharing user credentials.

Key roles in OAuth 2.0 include the resource owner (the user who owns the data), the client

Common grant types include the authorization code flow (suitable for server-side apps), the client credentials flow

OAuth 2.0 is defined by RFC 6749, with related guidance in RFC 6750 for bearer tokens, and

(the
application
requesting
access),
the
resource
server
(the
API
hosting
the
protected
resources),
and
the
authorization
server
(the
component
that
authenticates
the
resource
owner
and
issues
tokens).
The
client
obtains
an
access
token
by
presenting
appropriate
credentials
and,
depending
on
the
flow,
may
also
use
a
refresh
token
to
obtain
new
access
tokens
without
user
interaction.
(server-to-server
access),
and
the
device
authorization
flow
(for
devices
with
limited
input).
Public
clients
often
use
the
authorization
code
flow
with
PKCE
to
mitigate
interception
of
authorization
codes.
Bearer
tokens
are
typically
used
as
access
tokens;
their
possession
grants
access,
so
transport
security
(HTTPS)
and
proper
scope
and
lifetime
management
are
essential.
Tokens
may
be
opaque
or
structured
(for
example,
JWTs)
and
can
be
refreshed
with
a
refresh
token
when
supported.
is
commonly
extended
by
OpenID
Connect
for
authentication.
The
framework
is
widely
adopted
for
API
security,
enabling
consent-based
access
without
sharing
user
passwords.