OAuth 2.0

OAuth 2.0 is an industry-standard authorization framework that enables applications to obtain limited access to user accounts on third-party services without exposing user passwords. Developed by the Internet Engineering Task Force (IETF) and published as RFC 6749 in 2012, OAuth 2.0 solves the fundamental problem of secure delegated access—allowing users to grant applications permission to access their data on other services (like Google, Facebook, GitHub, or Microsoft) without sharing their login credentials. Instead of giving an application your password, OAuth 2.0 uses access tokens: temporary, limited-scope credentials that specify exactly what data the application can access and for how long. This token-based approach is what powers the “Sign in with Google” or “Connect with GitHub” buttons seen across the web, enabling seamless single sign-on (SSO) experiences while maintaining security. The framework defines four primary authorization flows (or “grant types”): Authorization Code Grant for server-side web applications, Implicit Grant (now deprecated) for browser-based apps, Client Credentials Grant for machine-to-machine communication, and Resource Owner Password Credentials Grant for trusted applications, each tailored to different security requirements and use cases.

OAuth 2.0 operates through a carefully orchestrated dance between four parties: the Resource Owner (the user), the Client (the application requesting access), the Authorization Server (which authenticates the user and issues tokens), and the Resource Server (which hosts the protected data). When a user wants to connect an application to their account on another service, they’re redirected to the authorization server where they authenticate and explicitly consent to the permissions being requested. Upon approval, the authorization server issues an authorization code (in the most secure flow) which the client application exchanges for an access token and optionally a refresh token. The access token—typically a JSON Web Token (JWT) or opaque string—is then included in API requests to the resource server to prove authorization. OAuth 2.0 has become the backbone of modern API security and is used by virtually every major platform including Google, Microsoft, Facebook, Twitter, GitHub, Salesforce, and thousands of other services. The framework has evolved with extensions like PKCE (Proof Key for Code Exchange) to secure mobile and single-page applications, token introspection for validating tokens, and token revocation for ending sessions. While OAuth 2.0 handles authorization (what you’re allowed to do), it’s often used alongside OpenID Connect (OIDC), an identity layer built on top of OAuth 2.0 that adds authentication (who you are), together forming the foundation for modern identity and access management in web, mobile, and API ecosystems.

License: Simplified BSD License

Tags: Authentication, Authorization, Security

Properties: Authorization Framework, Industry Standard, IETF Standard, RFC 6749, RFC 6750, Delegated Access, Token-Based Authorization, Access Tokens, Refresh Tokens, Authorization Codes, Grant Types, Authorization Code Grant, Implicit Grant, Client Credentials Grant, Resource Owner Password Credentials Grant, Device Authorization Grant, Four-Party Model, Resource Owner, Client Application, Authorization Server, Resource Server, User Consent, Permission Scopes, Limited Access, Temporary Credentials, No Password Sharing, Credential Separation, Token Expiration, Time-Limited Access, Revocable Access, Single Sign-On, SSO Support, Third-Party Access, API Authorization, Secure Delegation, HTTPS Required, TLS Required, Redirect URIs, Callback URLs, State Parameter, CSRF Protection, Client Authentication, Client ID, Client Secret, Public Clients, Confidential Clients, Token Endpoint, Authorization Endpoint, Redirect Endpoint, Bearer Tokens, Token Types, JWT Support, JSON Web Tokens, Opaque Tokens, Token Introspection, Token Revocation, Scope-Based Permissions, Fine-Grained Access Control, Read-Only Access, Write Access, Admin Access, Custom Scopes, Scope Validation, Consent Screen, User Authorization, Explicit Consent, Permission Grants, OAuth Flows, Web Application Flow, Mobile Application Flow, SPA Flow, Server-to-Server Flow, Machine-to-Machine, M2M Authentication, Service Accounts, PKCE Extension, Proof Key for Code Exchange, Code Verifier, Code Challenge, S256 Method, Plain Method, Mobile Security, Native App Support, Single Page Applications, Browser-Based Apps, Backend Applications, Microservices, API Gateway Integration, Identity Provider, IdP Integration, Social Login, Sign in with Google, Sign in with Facebook, Sign in with GitHub, Sign in with Microsoft, Sign in with Apple, Enterprise SSO, SAML Bridge, LDAP Integration, Active Directory, Azure AD, Okta Support, Auth0 Support, Keycloak Support, AWS Cognito, Google Identity Platform, Multi-Tenant Support, Organization Support, Workspace Integration, OpenID Connect, OIDC Layer, Authentication Extension, ID Tokens, UserInfo Endpoint, Claims, Profile Information, Email Verification, Identity Verification, Multi-Factor Authentication, MFA Support, Step-Up Authentication, Risk-Based Authentication, Adaptive Authentication, Session Management, Logout Support, Back-Channel Logout, Front-Channel Logout, Token Exchange, Token Binding, Token Lifetime, Access Token Expiration, Refresh Token Rotation, Sliding Expiration, Absolute Expiration, Security Best Practices, Threat Mitigation, Authorization Code Injection, Redirect URI Validation, State Validation, Nonce Support, Replay Attack Prevention, Token Leakage Prevention, XSS Protection, CSRF Protection, Clickjacking Prevention, Open Redirect Prevention, Client Registration, Dynamic Client Registration, Client Metadata, Redirect URI Registration, OAuth 2.0 Security BCP, Best Current Practice, RFC 8252, RFC 8628, RFC 7636, RFC 7009, RFC 7662, Standardized Endpoints, Discovery Document, Well-Known Configuration, Metadata Endpoint, JWKS Endpoint, JSON Web Key Sets, Key Rotation, Signature Verification, Token Validation, Audience Validation, Issuer Validation, Expiration Checking, Clock Skew Tolerance, Token Caching, Performance Optimization, Rate Limiting, Throttling, Quota Management, Usage Tracking, Audit Logging, Security Events, Compliance, GDPR Compliance, Privacy Protection, Data Minimization, Consent Management, User Control, Permission Revocation, Third-Party App Management, Connected Apps, Authorized Applications, Trust Management, Vendor Neutral, Platform Agnostic, Language Independent, Cross-Platform, REST API Compatible, GraphQL Compatible, gRPC Support, WebSocket Support, Server-Side Implementation, Client-Side Libraries, SDK Support, Java Libraries, Python Libraries, Node.js Libraries, .NET Libraries, PHP Libraries, Ruby Libraries, Go Libraries, Rust Support, Mobile SDKs, iOS SDK, Android SDK, React Native, Flutter Support, JavaScript Libraries, TypeScript Support, Framework Integration, Spring Security, Express.js, Django, Flask, Laravel, Rails, ASP.NET, Production Ready, Enterprise Grade, Scalable, High Availability, Load Balancing, Distributed Systems, Cloud Native, Container Support, Kubernetes Integration, Service Mesh, API Management, Kong Integration, Apigee Support, AWS API Gateway, Azure API Management, Google Cloud Endpoints, Rate Limit Headers, Token Response Format, Error Responses, Error Codes, Invalid Grant, Unauthorized Client, Access Denied, Unsupported Grant Type, Invalid Scope, Server Error, Temporarily Unavailable, Standard Error Format, JSON Response, URL Encoding, Form Encoding, Content Negotiation, Accept Headers, CORS Support, Cross-Origin Requests, Preflight Requests, Credentials Mode, Same-Site Cookies, Secure Cookies, HttpOnly Cookies, Cookie-Based Sessions, Stateless Authentication, Distributed Sessions, Session Stores, Redis Integration, Database Storage, In-Memory Cache, Token Storage, Secure Storage, Keychain Integration, Encrypted Storage, Client-Side Storage, LocalStorage Considerations, SessionStorage, Mobile Storage, Biometric Authentication, Fingerprint Support, Face ID, Touch ID, Hardware Tokens, YubiKey Support, FIDO2, WebAuthn Integration, Passwordless Authentication, Magic Links, OTP Support, SMS Authentication, Email Authentication, Backup Codes, Recovery Options, Account Linking, Social Account Linking, Multiple Identities, Federation, Identity Federation, Cross-Domain SSO, Enterprise Federation, B2B Integration, B2C Support, Customer Identity, CIAM Platform, User Management, Profile Management, Attribute Mapping, Claim Transformation, Custom Claims, Role-Based Access, RBAC Support, Attribute-Based Access, ABAC Support, Policy Enforcement, Fine-Grained Authorization, Resource-Level Permissions, Action-Level Permissions, Context-Aware Access, Location-Based Access, Device-Based Access, Time-Based Access, IP Restrictions, Geofencing, Conditional Access, Step-Up Authorization, Elevated Privileges, Temporary Access, Just-In-Time Access, Zero Trust, Continuous Verification, Device Trust, Certificate-Based Authentication, Mutual TLS, mTLS Support, Client Certificates, Certificate Pinning, Public Key Infrastructure, PKI Integration, Hardware Security Modules, HSM Support, Key Management, Secret Management, Vault Integration, Environment Variables, Configuration Management, Monitoring, Metrics Collection, Performance Monitoring, Security Monitoring, Anomaly Detection, Fraud Detection, Bot Detection, Brute Force Protection, Account Lockout, Suspicious Activity, Security Alerts, Incident Response, Debugging Tools, Token Inspector, Flow Visualization, Developer Console, Test Environments, Sandbox Mode, Mock Servers, Integration Testing, End-to-End Testing, Security Testing, Penetration Testing, Vulnerability Scanning, Compliance Testing, Documentation, API Documentation, Integration Guides, Migration Guides, Best Practice Guides, Security Guidelines, Code Examples, Sample Applications, Reference Implementations, Community Support, Stack Overflow, GitHub Discussions, Issue Tracking, Bug Reports, Feature Requests, Roadmap, Versioning, Deprecation Policy, Migration Paths, Backward Compatibility, Legacy Support, Widely Adopted, Battle Tested, Mature Standard, Proven Technology, Industry Acceptance, Vendor Support, Tool Ecosystem, Testing Tools, Postman Integration, Bruno Support, Insomnia Support, cURL Examples, HTTP Client Support

Website: https://oauth.net/2/