OAuth (Open Authorization)
Table of Content:
OAuth (Open Authorization)
OAuth is an open-standard authorization protocol that allows third-party applications to access user data without exposing passwords. It is widely used for secure authentication and authorization in web, mobile, and API applications.
The following diagram shows how authentication works with OAuth 2.0:
As we can see, the OAuth authentication flow starts with the Client Application requesting a token from the identity provider, such as Azure AD. The identity provider authenticates the client application and returns the token to the calling application. The Client Application then presents the access token web application. The web application validates the token and returns the request.
Key Features of OAuth:
-
Secure Authorization Without Passwords
- Instead of sharing passwords, OAuth allows users to grant access to their data via tokens.
-
Token-Based Authentication
- OAuth uses access tokens to authorize API requests, reducing security risks.
-
Supports Third-Party Authentication
- Allows users to log in via Google, Facebook, GitHub, or Microsoft without creating new credentials.
-
Scopes & Permissions
- Users can control what data an application can access (e.g., "Read-only access to emails").
-
Widely Used in APIs & Web Apps
- Popular in RESTful APIs, social logins, and cloud services.
How OAuth Works (4 Steps)
-
User Requests Access
- The user wants to log in using Google, Facebook, or Microsoft.
-
Authorization Request (Redirect to Provider)
- The app redirects the user to the OAuth provider (e.g., Google).
-
User Grants Permission
- The user allows access to specific data (e.g., email, profile info).
-
Access Token is Issued
- The provider sends an access token to the app, which is used to make API calls securely.
Example OAuth Flow (Google Login)
- User clicks "Login with Google".
- Redirects to Google OAuth page:
<span class="pln"> https</span><span class="pun">:</span><span class="com">//accounts.google.com/o/oauth2/auth?</span><span class="pln"> client_id</span><span class="pun">=</span><span class="pln">YOUR_CLIENT_ID</span><span class="pun">&</span><span class="pln"> redirect_uri</span><span class="pun">=</span><span class="pln">YOUR_REDIRECT_URI</span><span class="pun">&</span><span class="pln"> response_type</span><span class="pun">=</span><span class="pln">code</span><span class="pun">&</span><span class="pln"> scope</span><span class="pun">=</span><span class="pln">email profile </span> - User grants permission to access their email/profile.
- Google sends back an authorization code.
- The app exchanges the code for an access token.
- The app uses the token to fetch user data from Google's API.
OAuth vs. Basic Authentication
| Feature | OAuth | Basic Authentication |
|---|---|---|
| Security | More secure (no passwords shared) | Passwords are sent with each request |
| Token-Based | Uses access tokens | Requires username/password each time |
| Third-Party Access | Yes, allows access to external APIs | No, only works with own system |
| Expiration & Revocation | Tokens can expire and be revoked | Credentials remain valid until changed |
Where is OAuth Used?
✅ Google, Facebook, and Microsoft Logins
✅ REST APIs & Web Services
✅ Cloud Applications (Azure, AWS, Salesforce, Dynamics 365)
✅ Mobile Apps with Social Logins
- Question 1: What is OAuth?
- Question 2: Which popular web applications use OAuth?
- Question 3: What is the purpose of OAuth?
- Question 4: When was OAuth first released, and who used it first?
- Question 5: What is the latest version of OAuth?
- Question 6: How does the OAuth authentication flow work?
- Question 7: What is the role of an Identity Provider in OAuth?
- Question 8: What is an Access Token in OAuth?
- Question 9: How does OAuth improve security?
- Question 10: What is delegated access in OAuth?