OAuth (Open Authorization) is an authorization framework that enables third-party applications to obtain limited access to a user's resources on another service without requiring the user to share their credentials. OAuth 2.0 is the current version and is the foundation for most modern delegated authorization on the web.
How It Works
OAuth 2.0 defines several grant types for different use cases. The authorization code flow — the most common for web applications — works as follows. A user clicks "Login with Provider" on a third-party application. The application redirects the user to the provider's authorization server with a request specifying the desired permissions (scopes). The user authenticates with the provider and consents to the requested access. The provider redirects back to the application with a short-lived authorization code. The application exchanges this code for an access token by making a server-to-server request that includes its client secret. The access token is then used to access the user's resources on the provider.
Other grant types serve different scenarios. The client credentials flow handles machine-to-machine communication where no user is involved. The device code flow supports devices with limited input capabilities like smart TVs. The implicit flow, which returned tokens directly in the URL fragment, is now discouraged due to security concerns.
Access tokens have limited lifetimes and scopes. Refresh tokens allow applications to obtain new access tokens without requiring the user to re-authenticate. Token revocation endpoints let users withdraw access from applications they no longer trust.
Security Considerations
OAuth implementations are vulnerable to several attacks. Open redirect vulnerabilities in the callback URL allow authorization codes to be intercepted. Missing or insufficient state parameter validation enables CSRF attacks against the login flow. Overly broad scopes grant applications more access than necessary. Token leakage through referrer headers, browser history, or logging exposes bearer tokens.
PKCE (Proof Key for Code Exchange) mitigates authorization code interception by binding the code to the requesting client through a cryptographic challenge.
Why It Matters
OAuth is the authorization backbone of the modern web. Misconfigurations in OAuth flows lead directly to account takeover, data exposure, and unauthorized access. Every application that integrates with external identity providers must implement OAuth correctly to protect its users.
Need your application tested? Get in touch.