Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!
We spend hours scrolling social media and waste money on things we forget, but won’t spend 30 minutes a day earning certifications that can change our lives.
Master in DevOps, SRE, DevSecOps & MLOps by DevOps School!
Learn from Guru Rajesh Kumar and double your salary in just one year.
What is OAuth?
OAuth (Open Authorization) is a secure authorization protocol that enables applications to obtain limited access to user resources on another service, without needing to handle or store the user’s credentials (like username and password). It serves as a critical layer in modern web and API security, enabling secure, delegated access via access tokens instead of raw credentials.
Originally designed for the social web, OAuth has evolved into a vital standard adopted by giants like Google, Microsoft, Facebook, Amazon, and others. It’s widely used in mobile apps, cloud services, enterprise systems, and Internet of Things (IoT) devices.
OAuth 2.0, the most common version, is not a strict authentication protocol by itself, but it enables secure authorization, often in combination with OpenID Connect (OIDC) for identity/authentication needs.
Major Use Cases of OAuth
OAuth is designed to serve a variety of real-world use cases across industries, technologies, and platforms. Here are the most common scenarios:
1. Third-Party App Access
OAuth allows users to grant limited access to their accounts on one site (like Google) to a third-party app (like Zoom) without sharing their credentials.
Example:
You use your Google account to sign into Spotify and grant Spotify access to your calendar or email address.
2. Single Sign-On (SSO)
OAuth is often combined with OpenID Connect to enable SSO solutions where users authenticate once and access multiple systems seamlessly.
Example:
An employee logs into their Microsoft account and gains access to Outlook, Teams, SharePoint, and internal enterprise apps without repeated logins.
3. API Access for Mobile or Web Apps
OAuth lets applications (mobile, desktop, browser-based) access RESTful APIs using tokens. This enables secure and stateless interactions without embedding credentials.
Example:
A mobile app accessing user profile data from an API server using an access token.
4. Server-to-Server Communication
For machine-to-machine use cases (like microservices or backend applications), OAuth’s Client Credentials Grant offers secure API communication without user involvement.
Example:
A payment gateway system authenticating backend services to process transactions via a banking API.
5. IoT and Smart Devices
OAuth allows headless devices like smart TVs, watches, or home assistants to securely connect and perform delegated tasks after user consent.
Example:
An Amazon Echo device linking to your Spotify account using the Device Authorization Flow.
How OAuth Works: Architecture Overview
OAuth defines interactions among several key roles and components. Here’s an architectural breakdown of how OAuth works:
Key Roles:
- Resource Owner (User):
The individual who owns the data and can grant access to it. - Client (Application):
The app or service requesting access on behalf of the user (e.g., a weather app). - Authorization Server:
Handles authentication and issues tokens (e.g., Google Auth, Okta, Auth0). - Resource Server:
Hosts the protected resources and validates the token before allowing access (e.g., Gmail API, GitHub API).
Architecture Diagram:
[ User (Resource Owner) ]
|
v
[ Client Application ] ----> [ Authorization Server ]
| |
v v
[ Resource Server (API) <---- Access Token ]
OAuth Grant Types (Flows)
OAuth provides different flows tailored to various application types and use cases:
| Grant Type | Best For | User Involved? |
|---|---|---|
| Authorization Code Flow | Web/mobile apps (with backend) | ✅ Yes |
| Implicit Flow (legacy) | Single-page apps (deprecated) | ✅ Yes |
| Client Credentials Flow | Server-to-server APIs | ❌ No |
| Password Grant (legacy) | Trusted first-party apps only | ✅ Yes |
| Device Authorization Flow | IoT devices, consoles | ✅ Yes |
| Refresh Token Flow | Silent token renewal | ❌ No |
OAuth Workflow: Step-by-Step (Authorization Code Flow)
The Authorization Code Flow is the most common and secure flow. Here’s a step-by-step walkthrough:
Step 1: User Clicks “Login with…”
The client app redirects the user to the Authorization Server with a query string containing:
- Client ID
- Redirect URI
- Response type (
code) - Scopes (permissions requested)
Example URL:
https://authserver.com/auth?
response_type=code&
client_id=client123&
redirect_uri=https://clientapp.com/callback&
scope=profile email
Step 2: User Logs In and Grants Access
The user authenticates with the authorization server and approves or denies the request. If approved, they’re redirected to the client’s redirect URI with an authorization code.
Example redirect:
https://clientapp.com/callback?code=abc123
Step 3: Client Exchanges Code for Token
The client sends the authorization code along with its client ID and secret to the token endpoint to receive an access token and optionally a refresh token.
POST request to token endpoint:
POST /token
Host: authserver.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=abc123&
redirect_uri=https://clientapp.com/callback&
client_id=client123&
client_secret=secret456
Step 4: Server Returns Access Token
The authorization server responds with a JSON object:
{
"access_token": "eyJhbGciOiJIUzI1...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA"
}
Step 5: Access Protected Resource
The client includes the access token in the HTTP header to access the API:
GET /userinfo
Host: api.example.com
Authorization: Bearer eyJhbGciOiJIUzI1...
Step 6: Refresh Token (Optional)
When the access token expires, the client can use the refresh token to get a new one without user interaction:
POST /token
grant_type=refresh_token&
refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
Security Best Practices for OAuth
- Always use HTTPS to prevent token leakage.
- Store client secrets securely (never in browser/mobile code).
- Use short-lived tokens to reduce attack windows.
- Implement proper scope restrictions to enforce least privilege.
- Validate redirect URIs strictly to avoid phishing.
- Use PKCE (Proof Key for Code Exchange) in public clients like mobile apps.