OAuth 2.0
OAuth 2.0 is an authorization framework that lets users grant third-party apps limited access to their accounts without sharing credentials.
OAuth 2.0 is the authorization framework behind "Login with Google," "Connect with GitHub," and most API permission models in production. When a user clicks that button, they are not handing their password to a third-party - they are issuing a token that proves the identity provider authorized that specific app to access specific resources on their behalf.
The key separation in OAuth 2.0 is authentication (who you are) vs. authorization (what you can do). OAuth 2.0 handles authorization. OpenID Connect (OIDC) is a thin identity layer on top of OAuth 2.0 that handles authentication and exposes user profile data.
Why it matters in Engineering: Almost every API requiring user permissions uses OAuth 2.0. Most teams do not implement it from scratch - Auth0, Cognito, and similar identity providers handle the heavy lifting - but understanding the protocol is essential for debugging auth flows, designing permission models, and avoiding common security mistakes. Scopes should be minimal, tokens should expire, and refresh tokens must be stored securely. A misconfigured OAuth flow is a security vulnerability, not just a UX issue. Access tokens in OAuth 2.0 are typically JWTs.
Core Concepts
Access Token
A short-lived credential the client uses to make authorized API calls. Typically a JWT valid for minutes to hours. Treat it like a session cookie.
Refresh Token
A longer-lived token used to obtain a new access token after the current one expires. Must be stored server-side or in a secure, httpOnly cookie - never in localStorage.
Scopes
Define what a token is permitted to do. A token with read:email scope can read email and nothing else. Request the minimum scope your application needs.
Authorization Code Flow
The correct OAuth flow for web apps. The user authenticates with the provider, receives a short-lived authorization code, and the backend exchanges that code for tokens. Tokens never touch the browser directly.
PKCE (Proof Key for Code Exchange)
An extension to Authorization Code Flow that prevents interception attacks. Required for mobile apps and single-page applications where a client secret cannot be stored safely.