Page cover image

OAuth 2.0


In the early days of the web, sharing information between online services was simple but risky. People used to share their usernames and passwords between different services, allowing them to access their accounts and data.

However, this practice was not secure, and it lead to problems like unauthorized access or data breaches.


Today, we have established standards to make this process more secure. One such standard is OAuth 2.0, which allows one application to access data from another application without needing your username and password.

Instead, they use a secure method involving the exchange of keys. You can also easily revoke their access whenever you want.

Authentication with OAuth 2.0

OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user.

OAuth 2.0 involves different services talking to each other. For example, if you’re using an email service and want to link it to another service, like a calendar app, the email service will check if you’re logged in. If not, it will prompt you to log in. Then, it will ask for your permission to access your schedule. You can then go back to the calendar app and do what you need to do.

This process is called the OAuth 2.0 Flow, and it includes visible consent controls that you can see and approve. There are also behind-the-scenes actions happening to make it all work. The most common flow is the authorization flow.

In OAuth 2.0, the concept of “scope” is pivotal to controlling access and permissions during the authentication and authorization process.

The scope parameter defines the specific permissions or access rights that a client application requests from the resource owner (typically the user) and the authorization server.

The scope parameter is a space-separated list of scope values, each indicating a particular access right. These scopes are defined by the resource server and must be understood and approved by the authorization server.

OAuth 2.0 Key Terms :

  • Resource Owner: That’s you, the person who owns the identity and data.

  • Client: This is the application (like a website) that wants to access your data or perform actions on your behalf.

  • Authorization Server: This application knows that you are the resource owner.

  • Resource Server: This is the API or service that the client wants to use on your behalf.

  • Redirect URI: It’s the URL where the authorization server sends you after granting access to the client.

  • Response Type: This specifies what type of information the client expects to receive.

  • Scope: These are the specific permissions the client is requesting, like accessing data or performing actions.

  • Consent: The authorization server provides a consent prompt to you, the resource owner, if you want to give the client permission.

  • Client ID: This identifies the client with the authorization server.

  • Client Secret: It’s like a password known only to the client and the authorization server to securely share information.

  • Authorization Code: This is a short-lived code that the authorization server sends to the client.

  • Access Token: It’s like a free pass, like a keycard that the client uses to communicate with the resource server on your behalf.

Last updated