OAuth 2.0
OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user.
OAuth 2.0 is an authorization protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user data.
It gives an application to access another application's data on you. The authorization is made through the exchange of keys.
How does OAuth 2.0 work?
The client is the application the first website that wants to access the data on you or perform actions on behalf of you the resources owner.
An authorization server is an application that knows the resource owner is you where the resource server already has an account.
The resource server is the API or service the client wants to use on behalf of the resource owner. Redirect URI is the URL the authorization server will redirect the resource owner after granting access to the client, also called the callback URL.
Response type is the type of information the client expects to receive. The client expects to receive an authorization code. The scope is the granular permissions the clients want like accessing the data or performing actions.
Consent, the authorization server takes the scope the client requests and verifies with the resource owner whether they want to give the client permission.
Client ID is used to identify the client with the authorization server. Client Secret, only the client and the authorization server know to share information safely. An authorization code is a short-lived temporary code that the authorization server sends back to the client.
The client then sends back to the authorization server the authorization code and client secret in exchange for an access token.
This is like a keycard to communicate with the resource server on your behalf.
OAuth 2.0 Example using Sign in with Google
The user presses the button "Sign in with Google". This will redirect to the identity providers /authorize
endpoint (could be different for each provider) which goes to their login page.
The user is redirected to Google's accounts page. If not already logged in, the user can enter their Google email/password here.
Google redirects back to Netflix with an authorization_code
(for example, it redirects to https://netflix.com/authcallback?code=XYZ...
)
Netflix's backend server sends this authorization_code
with the client_id
and client_secret
(from their project in google), and receive an access_token
(usually to the /token
endpoint)
Netflix can then use the access_token
to access the user's profile from Google.
Last updated