What is OAuth 2.0?
If you're reading this, chances are good that you've used OAuth 2.0 without even knowing it. It's the protocol that powers logins for some of the largest sites and services on the web, including Google, Facebook, and Twitter.
OAuth 2.0 is a foundational standard in identity and access management for authorization, providing a secure and straightforward way for users to log in to their accounts and websites. It's often invoked in context with OIDC, but while they're related they have differences in functionality. In this post, we'll look at what OAuth 2.0 is, how it works, and some of its main advantages.
What is OAuth 2.0, and how does it work?
OAuth 2.0 allows applications to access resources from other applications without exposing sensitive user credentials. It does this by using access tokens instead of credentials. Access tokens are like keys that give users access to protected resources without having to share the username and password with the initial application.
The OAuth 2.0 protocol uses the authorization code flow, which involves four steps:
- The user initiates the flow by clicking a login button or similar on an app or site that supports OAuth 2.0 (known as a client), like those offering a "Log in with Facebook" option. The scope (the level of access required) is determined at this stage.
- The client sends the user to an authorization server where they are prompted to log in and grant permissions to the app or site requesting access (known as a resource server).
- The authorization server validates the client ID and secret and redirects them to the client with an authorization code.
- The client then sends the authorization code back to the authorization server and exchanges it for an access token, which it can use to make authenticated API calls on behalf of the user. In some cases, a refresh token may also be exchanged.
That might sound like a lot, but don't worry. In practice, it's pretty simple, especially from the end-user perspective. If you've ever logged into an app or service using your Facebook or Google account, you've used OAuth 2.0!
Here's a simplified version: When you click that "Login with" button, you are redirected to the authorization server. You log in to an existing account and grant permissions to the app or site in question (the client). Once you did that, you were redirected back to the client with an authorization code, which was then exchanged for an access token that allowed the app or site to make authenticated API calls on your behalf—like getting your name and profile picture from Facebook, for example.
What are the benefits?
Now that you understand the "what" and the "how," let's dig into the advantages of using OAuth 2.0 and the security concerns it addresses:
- Ease of use: OAuth 2.0 improves usability by allowing users to select from multiple native apps for a single service—for example, selecting from numerous calendar apps when setting up a new profile in Outlook.com.
- Increased end-user control: Oauth 2.0 was designed to resolve the issue of providing applications to access an existing account and data without giving it the user’s password. Users can also deauthorize or remove an app's access completely or partially without changing their password for the entire service or deleting their account. This makes it possible for users to take charge of their digital privacy and exercise agency over what they want to share with which application(s).
- Automation: By standardizing how third-party applications request authorization from service providers, OAuth 2.0 makes it possible for these interactions to be automated programmatically—for example via APIs—further reducing friction for users and developers alike.
It's not hard to see why OAuth 2.0 has become a popular choice for handling authentication for end-users and APIs alike. It's easily implemented by developers, user friendly, and privacy-focused. Whether you're looking to incorporate OAuth 2.0 into your website or app, or you're just curious about how it works, we hope this article has been helpful!
Beyond Identity SDKs supports OAuth 2.0 to simplify integration of strong, passwordless authentication. If you want to integrate secure, universal passkeys across your native and web apps, sign up for a free developer account today: https://www.beyondidentity.com/developers/signup