Skip to main contentOAuth 2.0 Basics
OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access the user account.
Key Concepts
Resource Owner
The user who authorizes an application to access their account. The application’s access to the user’s account is limited to the “scope” of the authorization granted.
Client
An application making protected resource requests on behalf of the resource owner and with its authorization. The term “client” does not imply any particular implementation characteristics.
Authorization Server
The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
Resource Server
The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
Authorization Flows
Authorization Code Flow
The most secure and commonly used flow, suitable for server-side applications.
Client Credentials Flow
Used for server-to-server authentication where the client is acting on its own behalf.
Device Flow
Designed for input-constrained devices that lack an easy input method.
Access Tokens
Access tokens are credentials used to access protected resources. They represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server.
Scopes
Scopes provide a way to limit the access granted by an access token. They are space-separated strings that specify the permissions granted by the resource owner.
Security Considerations
- Always use HTTPS
- Implement proper token storage
- Use short-lived access tokens
- Implement proper scope validation
- Consider using PKCE for additional security
Next Steps
