OAuth 2.0

Main Hero

Definition

OAuth 2.0 is an open standard authorisation framework that allows applications to access resources on behalf of a user without exposing their login credentials. It provides a secure way for users to grant third-party applications limited access to their data, often using tokens instead of passwords.

Instead of sharing usernames and passwords, OAuth 2.0 issues access tokens that define what data can be accessed and for how long. This approach is widely used by platforms such as Google, Facebook, and Microsoft to enable secure sign-ins and integrations.

Advanced

At an advanced level, OAuth 2.0 defines several flows tailored to different use cases. These include authorisation code flow for server-side apps, implicit flow for single-page applications, client credentials flow for machine-to-machine communication, and device flow for limited input devices.

Security best practices include using HTTPS, refresh tokens, PKCE (Proof Key for Code Exchange), and short-lived access tokens. OAuth 2.0 is often paired with OpenID Connect (OIDC) to handle both authorisation and authentication, enabling features like single sign-on (SSO).

Why it matters

  • Improves security by eliminating password sharing.
  • Provides granular control over data access and permissions.
  • Enables integrations across platforms and third-party apps.
  • Supports compliance with security and privacy standards.

Use cases

  • Allowing users to log in to a service using Google or Facebook accounts.
  • Providing secure access for mobile apps to backend APIs.
  • Enabling SaaS platforms to integrate with external tools.
  • Allowing IoT or device-based apps to access cloud services.

Metrics

  • Number of successful token exchanges.
  • Token expiration and refresh success rates.
  • API error rates related to authorisation failures.
  • Security audit and compliance results.

Issues

  • Incorrect implementation can expose security vulnerabilities.
  • Long-lived tokens increase risk if compromised.
  • Misconfigured scopes may grant excessive permissions.
  • The complexity of flows can cause integration challenges.

Example

A project management platform integrates with Google Drive using OAuth 2.0. Users grant access to their files without sharing Google credentials. The platform receives an access token that allows document retrieval while respecting user-defined scopes. This increases trust and adoption by offering secure, seamless integration.