OAuth 2.0

What is OAuth 2.0

OAuth 2.0 is an authorization protocol framework that has become the industry standard. It allows applications to have secure delegated access, meaning they can act on behalf of a user without having to reveal their passwords.

Basic terms

Resource Owner

The user who consents to an application's access request.


The application that requests access to the resource owner's account and is authorized by the server.

Resource Server

The server that stores the user data requested by the client.

Authorization Server

The server that verifies the identity of the resource owner and issues the appropriate tokens to the client.

Process and components

Redirect URI

The URI that the user will be redirected to after authorization.


The range of permissions that the client is requesting.


Security key issued by the authorization server. There are access tokens for authorizing API calls and refresh tokens for obtaining new access tokens.

Authorization Code

A unique code that the client receives after approval from the resource owner and can exchange for an access token.

Authorization flows

OAuth 2.0 offers different authorization grant types for different scenarios:

  • Authorization Code: For applications running over a server where the confidentiality of the client secret can be guaranteed.
  • Implicit: For mobile apps or web applications (like JavaScript spa) where the client secret cannot be kept secure.
  • Password Credentials: When users trust their credentials directly to the application.
  • Client Credentials: For applications running on a server that require access to protected resources without involving the resource owner.

Significance in modern development

Using OAuth 2.0 is critical to implementing secure authorization mechanisms in modern applications. It enables a standardized method for users to provide consent without sharing sensitive info .