OAuth 2.0
OAuth 2.0 is an authorization framework that allows third-party applications to obtain limited access to HTTP services.
Key Roles
- Resource Owner: User who authorizes access
- Client: Application requesting access
- Resource Server: API server hosting protected resources
- Authorization Server: Server that authenticates resource owner and issues tokens
Authorization Code Flow
Browser → Client App → Authorization Server → Browser → Client App →
Resource Server
- User accesses client application
- Client redirects to authorization server
- User authenticates and grants permission
- Authorization server returns authorization code
- Client exchanges code for access token
- Client accesses protected resources using access token
Access Token Example
Authorization: Bearer MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3
Grant Types
- Authorization Code: Standard flow for web apps
- Implicit: Simplified flow for SPAs (deprecated)
- Client Credentials: Machine-to-machine communication
- Resource Owner Password: Direct credential exchange
Pros & Cons
- ✅ Standardized protocol
- ✅ Delegated access without sharing passwords
- ✅ Multiple grant types for different use cases
- ❌ Complex implementation
- ❌ Redirect-based flows vulnerable to interception