OAuth 2.0 explained

OAuth 2.0 is an authorisation framework specified in RFC 6749. It forms the basis of OpenID Connect.

1. What’s the purpose of OAuth 2.0?

OAuth 2.0 is a protocol for granting clients limited access to a protected web service or API. This is done by an authorisation server which issues the clients with access tokens, typically of type bearer.

2. Why has OAuth 2.0 become so successful?

OAuth 2.0 became popular long before the spec was finalised. It inspired people to spawn a number of complementing extensions, such as OpenID Connect.

The protocol was born in the social apps space where integration simplicity is key to increasing a web API’s adoption rate:

  • Complexity is shifted to the server, easing client-side programming.

  • Simplified client - server flows.

  • Bearer instead of signed tokens.

  • Can be used for third-party login.

3. How do clients obtain an access token?

The access token is issued in exchange for a valid "grant" - a somewhat abstract term which can be of the following types:

4. The access token

The access token is an opaque string which has an associated scope and lifetime, and may optionally allow refreshing.

The access token is of type bearer: whoever holds the token is allowed to make a HTTP request to the protected web API. The caveat is that access tokens must be kept secret at all times and only used over HTTPS.

The access token is typically passed with the Authorization header of the HTTP request:

Authorization: Bearer mF_9.B5f-4.1JqM

5. Implementation flexibility

OAuth 2.0 offers implementers ample flexibility:

  • The authorisation server is free to decide how users get authenticated.

  • The authorisation server is also free to decide how the permission is obtained.

  • The access token is an opaque string and the server is free to decide what gets encoded into it.

6. Specifications

OAuth 2.0 is developed by good people in the OAuth working group of the IETF.

The essence of the OAuth 2.0 is in these two core specs:

The security implications of OAuth are described in this document:

Most of the OAuth 2.0 extensions are stable now, but still technically work in progress: