OAuth 2.0 In-Depth: A Complete Guide

Mkh TamimMkh Tamim
4 min read

OAuth 2.0 is the industry-standard protocol for authorization. It enables third-party applications to obtain limited access to user accounts on an HTTP service without exposing user credentials. Whether you're building web apps, mobile apps, or APIs, understanding OAuth 2.0 is essential. This article provides an in-depth overview of OAuth 2.0, its components, flows, and real-world applications.

What is OAuth 2.0?

OAuth 2.0 is an authorization framework that allows a third-party application to obtain limited access to a resource hosted on a server, on behalf of a resource owner. Unlike earlier authentication mechanisms, OAuth 2.0 separates authentication from authorization and provides secure, delegated access.

Core Components

1. Resource Owner

  • Usually the end-user.

  • Owns the protected resources.

2. Client

  • The application requesting access to the resource owner’s data.

  • Could be a web app, mobile app, or desktop app.

3. Authorization Server

  • Authenticates the resource owner.

  • Issues access tokens to the client.

4. Resource Server

  • Hosts the protected data.

  • Accepts access tokens from the client to grant access to resources.

Tokens

Access Token

  • Used by the client to access protected resources.

  • Has a limited lifetime.

Refresh Token

  • Used to obtain a new access token without re-authenticating the user.

  • Usually has a longer lifetime or no expiration.

OAuth 2.0 Grant Types

OAuth 2.0 defines several ways to obtain an access token, known as grant types:

1. Authorization Code Grant

  • Recommended for: Web and mobile apps.

  • Process:

    1. The client redirects the user to the authorization server.

    2. The user logs in and authorizes the app.

    3. The server returns an authorization code to the client.

    4. The client exchanges the code for an access token.

  • Secure: Uses client secret and is server-to-server.

2. Implicit Grant (Deprecated)

  • Recommended for: Legacy SPAs (Single Page Applications).

  • Process:

    • Token is returned directly in the URL.

  • Security Issue: Tokens exposed in browser history.

  • Note: Replaced by Authorization Code with PKCE.

3. Client Credentials Grant

  • Recommended for: Server-to-server (M2M) apps.

  • Process:

    • The client authenticates with its client ID and secret.

    • Directly receives an access token.

  • No user interaction required.

4. Resource Owner Password Credentials Grant (ROPC)

  • Recommended for: Highly trusted applications.

  • Process:

    • The client collects the user's username and password.

    • Sends them to the authorization server to obtain a token.

  • Security Issue: Exposes user credentials.

  • Note: Deprecated and discouraged.

5. Device Authorization Grant

  • Recommended for: Devices with limited input (TVs, IoT).

  • Process:

    • Device asks the user to authorize on another device.

    • Device polls the server for token issuance.

6. Refresh Token Grant

  • Purpose: Renew access tokens without user re-authentication.

  • Secure: Reduces the need to store long-lived access tokens.

OAuth 2.0 Flow Example (Authorization Code Grant)

[Client] --> (A) Request Auth Code --> [Auth Server]
[User]  --> (B) Login & Consent  --> [Auth Server]
[Client] <-- (C) Auth Code       <-- [Auth Server]
[Client] --> (D) Exchange Code for Token --> [Auth Server]
[Client] <-- (E) Access Token             <-- [Auth Server]
[Client] --> (F) Request Resource --> [Resource Server]
[Client] <-- (G) Protected Data   <-- [Resource Server]

JWT: A Common Token Format

OAuth 2.0 often uses JWT (JSON Web Tokens) for access tokens. Example:

{
  "alg": "RS256",
  "typ": "JWT"
}.
{
  "sub": "1234567890",
  "name": "John Doe",
  "exp": 1713825600,
  "scope": "read write"
}

JWTs are self-contained, signed tokens that can carry identity and scope data securely.

Real-World Examples

Google OAuth

  • Used to access Google Calendar, Gmail, Drive, etc.

  • Follows Authorization Code Flow with PKCE.

GitHub OAuth

  • Used for third-party tools to access repos, issues, and commits.

Facebook OAuth

  • Enables login and social integration in third-party apps.

Security Considerations

  • Use HTTPS for all communications.

  • Store client secrets securely.

  • Use short-lived access tokens and refresh tokens.

  • Implement proper token revocation.

  • Always prefer Authorization Code Grant with PKCE for public clients.

Conclusion

OAuth 2.0 is a powerful and flexible framework for secure authorization. Understanding its components, flows, and security best practices is crucial for building modern applications that respect user privacy and protect sensitive data. By choosing the right grant type and implementing securely, developers can build robust, scalable systems that integrate seamlessly with third-party services.

0
Subscribe to my newsletter

Read articles from Mkh Tamim directly inside your inbox. Subscribe to the newsletter, and don't miss out.

OAuth2backendcoding

Written by

Mkh Tamim
Mkh Tamim