Skip to content

Engineering glossary

OAuth 2.0(OAuth)

OAuth 2.0 is an authorization framework that lets a client obtain limited access to protected resources, usually on behalf of a resource owner or on its own behalf.

In plain language

OAuth lets an application receive a scoped token instead of asking for another system's user password. OAuth defines delegated authorization; it does not by itself define who the user is. OpenID Connect adds an identity layer for authentication use cases.

Why it matters to a business

  • Avoids sharing user passwords with integrating applications
  • Limits access through scopes, audiences, and token lifetime
  • Supports revocation and delegated access across organizational boundaries

How it works

  1. 1A client is registered with an authorization server.
  2. 2An approved grant flow obtains authorization appropriate to the client type.
  3. 3The client receives an access token with defined scope and lifetime.
  4. 4A resource server validates the token before allowing protected operations.

Common use cases

  • Allowing a business application to access a user's calendar
  • Authorizing server-to-server access with client credentials
  • Connecting an internal product to a third-party platform
  • Supporting sign-in when combined with OpenID Connect

Important implementation decisions

  • Grant flow and client type
  • Redirect URI and proof-key protections
  • Scopes, audience, lifetime, refresh, and revocation
  • Secure token storage and validation

Common mistakes and misconceptions

  • Calling OAuth an authentication protocol
  • Using broad scopes by default
  • Putting tokens in insecure browser storage or logs
  • Inventing a custom flow instead of following current security guidance

Limitations and trade-offs

OAuth adds protocol complexity and depends on correct configuration across several parties.

Short-lived tokens reduce exposure but require refresh and failure handling.

Authoritative references

Need to apply this concept to a real system?

A focused technical discussion can identify the decisions and constraints that matter before implementation.