OAuth 2.0

OAuth 2.0 is an authorization framework that lets an application access resources on behalf of a user without seeing the user's credentials. The user authenticates with an authorization server, consents to the requested access, and the application receives a token to present to the resource server.

OAuth is an authorization framework, not an authentication protocol. For sign-in, OpenID Connect (OIDC) is the layer that adds authentication on top.

How it works

Four roles are involved: the resource owner (typically the user), the client (the application requesting access), the authorization server (issues tokens), and the resource server (holds the protected data). The client redirects the user to the authorization server, the user consents, and the client exchanges an authorization code for an access token, often with a refresh token for longer-lived access.

Grant types

• Authorization Code with PKCE. Current recommendation for web and mobile clients.
• Client Credentials. Service-to-service calls with no user involved.
• Device Code. Input-constrained devices like TVs and CLIs.
• Refresh Token. Used to obtain new access tokens without re-prompting the user.

The Implicit grant and Resource Owner Password grants are deprecated.

Specification

Defined by RFC 6749, with bearer token usage in RFC 6750 and PKCE in RFC 7636. OAuth 2.1 (draft) consolidates current best practices and removes legacy grant types.