Table of Contents

    OAuth (Open Authorization)

    Rumman Ansari March 04, 2025 448 views

    OAuth (Open Authorization)

    OAuth is an open-standard authorization protocol that allows third-party applications to access user data without exposing passwords. It is widely used for secure authentication and authorization in web, mobile, and API applications.

    The following diagram shows how authentication works with OAuth 2.0:

    Figure: The diagram shows how authentication works with OAuth 2.0

    As we can see, the OAuth authentication flow starts with the Client Application requesting a token from the identity provider, such as Azure AD. The identity provider authenticates the client application and returns the token to the calling application. The Client Application then presents the access token web application. The web application validates the token and returns the request.

    Key Features of OAuth:

    1. Secure Authorization Without Passwords

      • Instead of sharing passwords, OAuth allows users to grant access to their data via tokens.

    2. Token-Based Authentication

      • OAuth uses access tokens to authorize API requests, reducing security risks.

    3. Supports Third-Party Authentication

      • Allows users to log in via Google, Facebook, GitHub, or Microsoft without creating new credentials.

    4. Scopes & Permissions

      • Users can control what data an application can access (e.g., "Read-only access to emails").

    5. Widely Used in APIs & Web Apps

      • Popular in RESTful APIs, social logins, and cloud services.

    How OAuth Works (4 Steps)

    1. User Requests Access

      • The user wants to log in using Google, Facebook, or Microsoft.

    2. Authorization Request (Redirect to Provider)

      • The app redirects the user to the OAuth provider (e.g., Google).

    3. User Grants Permission

      • The user allows access to specific data (e.g., email, profile info).

    4. Access Token is Issued

      • The provider sends an access token to the app, which is used to make API calls securely.

    Example OAuth Flow (Google Login)

    1. User clicks "Login with Google".
    2. Redirects to Google OAuth page: 
      
https://accounts.google.com/o/oauth2/auth?
client_id=YOUR_CLIENT_ID&
redirect_uri=YOUR_REDIRECT_URI&
response_type=code&
scope=email profile
    3. User grants permission to access their email/profile.
    4. Google sends back an authorization code.
    5. The app exchanges the code for an access token.
    6. The app uses the token to fetch user data from Google's API.

    OAuth vs. Basic Authentication

    Feature OAuth Basic Authentication
    Security More secure (no passwords shared) Passwords are sent with each request
    Token-Based Uses access tokens Requires username/password each time
    Third-Party Access Yes, allows access to external APIs No, only works with own system
    Expiration & Revocation Tokens can expire and be revoked Credentials remain valid until changed

    Where is OAuth Used?

    Google, Facebook, and Microsoft Logins
    REST APIs & Web Services
    Cloud Applications (Azure, AWS, Salesforce, Dynamics 365)
    Mobile Apps with Social Logins

    Related Questions

    Question 1
    What is OAuth?
    Question 2
    How does OAuth improve security?
    Question 3
    What is an Access Token in OAuth?
    Question 4
    What is the role of an Identity Provider in OAuth?
    Question 5
    How does the OAuth authentication flow work?
    Question 6
    What is the latest version of OAuth?
    Question 7
    When was OAuth first released, and who used it first?
    Question 8
    What is the purpose of OAuth?
    Question 9
    Which popular web applications use OAuth?
    Question 10
    What is delegated access in OAuth?