OAuth 2.0
An authorization framework that enables third-party applications to obtain limited access to a web service on behalf of a resource owner.
Description
OAuth 2.0 is the industry-standard protocol for authorization, replacing the original OAuth 1.0 protocol. It focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. The framework defines four grant types -- authorization code, implicit, resource owner password credentials, and client credentials -- each suited to different application architectures and trust levels.
OAuth 2.0 separates the role of the client from the resource owner, introducing an authorization layer. Instead of using the resource owner's credentials to access protected resources, the client obtains an access token -- a string denoting a specific scope, lifetime, and other access attributes. Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client then uses the access token to access the protected resources hosted by the resource server.
Proper implementation requires careful consideration of token storage, transport security (TLS everywhere), redirect URI validation, state parameter usage for CSRF protection, and scope management. The specification has evolved with security best current practices (BCP) recommending against the implicit grant and resource owner password credentials grant in favor of the authorization code grant with PKCE for all client types.
Prompt Snippet
Implement OAuth 2.0 authorization code flow with PKCE for a web application. Register the client with the authorization server, configure redirect URIs with strict matching, and include the state parameter for CSRF protection. Use short-lived access tokens (15-30 min) and store refresh tokens server-side. Validate all tokens using the authorization server's JWKS endpoint and enforce scope restrictions at the API gateway level.
Tags
Related Terms
OAuth 2.0 PKCE Flow
An extension to the OAuth 2.0 authorization code flow that prevents authorization code interception attacks using a dynamically generated cryptographic code verifier.
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that enables clients to verify the identity of the end-user and obtain basic profile information.
Authorization Code Grant
An OAuth 2.0 grant type where the client receives an authorization code via a browser redirect and exchanges it server-side for tokens, keeping tokens off the front channel.
JWT (JSON Web Tokens)
A compact, URL-safe token format that encodes claims as a JSON object, digitally signed for integrity verification and optionally encrypted for confidentiality.
Token Revocation
The mechanism for invalidating issued access or refresh tokens before their natural expiration, typically triggered by logout, password change, or security events.
Social Login (OAuth Providers)
Authentication via third-party identity providers like Google, GitHub, or Apple using OAuth 2.0/OIDC, allowing users to sign in with existing accounts.