Engineering glossary
OAuth 2.0(OAuth)
OAuth 2.0 is an authorization framework that lets a client obtain limited access to protected resources, usually on behalf of a resource owner or on its own behalf.
In plain language
OAuth lets an application receive a scoped token instead of asking for another system's user password. OAuth defines delegated authorization; it does not by itself define who the user is. OpenID Connect adds an identity layer for authentication use cases.
Why it matters to a business
- Avoids sharing user passwords with integrating applications
- Limits access through scopes, audiences, and token lifetime
- Supports revocation and delegated access across organizational boundaries
How it works
- 1A client is registered with an authorization server.
- 2An approved grant flow obtains authorization appropriate to the client type.
- 3The client receives an access token with defined scope and lifetime.
- 4A resource server validates the token before allowing protected operations.
Common use cases
- Allowing a business application to access a user's calendar
- Authorizing server-to-server access with client credentials
- Connecting an internal product to a third-party platform
- Supporting sign-in when combined with OpenID Connect
Important implementation decisions
- Grant flow and client type
- Redirect URI and proof-key protections
- Scopes, audience, lifetime, refresh, and revocation
- Secure token storage and validation
Common mistakes and misconceptions
- Calling OAuth an authentication protocol
- Using broad scopes by default
- Putting tokens in insecure browser storage or logs
- Inventing a custom flow instead of following current security guidance
Limitations and trade-offs
OAuth adds protocol complexity and depends on correct configuration across several parties.
Short-lived tokens reduce exposure but require refresh and failure handling.
Authoritative references
Need to apply this concept to a real system?
A focused technical discussion can identify the decisions and constraints that matter before implementation.