OAuth 2.0
What is OAuth 2.0
OAuth 2.0 is an authorization protocol framework that has become the industry standard. It allows applications to have secure delegated access, meaning they can act on behalf of a user without having to reveal their passwords.
Basic terms
Resource Owner
The user who consents to an application's access request.
client
The application that requests access to the resource owner's account and is authorized by the server.
Resource Server
The server that stores the user data requested by the client.
Authorization Server
The server that verifies the identity of the resource owner and issues the appropriate tokens to the client.
Process and components
Redirect URI
The URI that the user will be redirected to after authorization.
Scope
The range of permissions that the client is requesting.
Tokens
Security key issued by the authorization server. There are access tokens for authorizing API calls and refresh tokens for obtaining new access tokens.
Authorization Code
A unique code that the client receives after approval from the resource owner and can exchange for an access token.
Authorization flows
OAuth 2.0 offers different authorization grant types for different scenarios:
- Authorization Code: For applications running over a server where the confidentiality of the client secret can be guaranteed.
- Implicit: For mobile apps or web applications (like JavaScript spa) where the client secret cannot be kept secure.
- Password Credentials: When users trust their credentials directly to the application.
- Client Credentials: For applications running on a server that require access to protected resources without involving the resource owner.
Significance in modern development
Using OAuth 2.0 is critical to implementing secure authorization mechanisms in modern applications. It enables a standardized method for users to provide consent without sharing sensitive info .