00:00

Help Us Improve

We're sorry this tutorial wasn't helpful. Please tell us what we can do better.

What is OAuth 2.0?

OAuth 2.0 is a security framework that allows one application to access another application’s data without sharing the user’s password. It is widely used on the internet to provide safe and controlled access to user information.

A Simple Real-Life Example

Imagine you visit a new app and see a button that says: "Login with Google".

When you click it:

  • You are redirected to Google
  • You log in using your Google account
  • You allow the app to access limited information (like your name or email)

The app never sees your Google password. This entire process is powered by OAuth 2.0.

Why Do We Need OAuth 2.0?

Before OAuth, apps often asked users to share their usernames and passwords directly. This was unsafe and risky.

OAuth 2.0 solves this problem by:

  • Keeping passwords private
  • Allowing limited access instead of full access
  • Making it easy to revoke access anytime

Key Components of OAuth 2.0

1. Resource Owner

This is the user who owns the data. For example, you are the resource owner of your Google account.

2. Client

The application that wants to access the user’s data. Example: a third-party app using Google login.

3. Authorization Server

The server that verifies the user’s identity and issues access permissions. Example: Google’s login server.

4. Resource Server

The server that stores the actual data and allows access after validation. Example: Google’s user profile service.

What Is an Access Token?

An access token is a secure string generated by the authorization server. It acts like a temporary key that allows the client to access user data.

Important points about access tokens:

  • They have a limited lifetime
  • They grant only specific permissions
  • They can be revoked by the user

How OAuth 2.0 Works (Step by Step)

  1. The user tries to log in to an application
  2. The app redirects the user to the authorization server
  3. The user approves the requested permissions
  4. The authorization server sends an access token to the app
  5. The app uses the token to access protected data

Common OAuth 2.0 Grant Types

Authorization Code Grant

Most secure and commonly used flow. Ideal for web and mobile applications.

Client Credentials Grant

Used when one system communicates directly with another system, without user involvement.

Refresh Token Grant

Used to get a new access token when the old one expires, without asking the user to log in again.

Benefits of OAuth 2.0

  • Improves application security
  • Protects user credentials
  • Allows controlled and limited access
  • Widely supported by modern platforms

Where Is OAuth 2.0 Used?

  • Social login (Google, Facebook, GitHub)
  • API security
  • Microservices authentication
  • Mobile and web applications

OAuth 2.0 vs Authentication

OAuth 2.0 is mainly about authorization, not authentication.

However, many systems use OAuth together with OpenID Connect to handle both login and access control.

Conclusion

OAuth 2.0 is a modern and secure way to allow applications to access user data without exposing passwords. It has become the standard solution for authorization in today’s web and mobile applications.

If you have ever logged in using a social media account, you have already used OAuth 2.0 — even if you didn’t realize it.