OAuth (Open Authorization) is an open standard protocol that enables secure delegated access to user resources without requiring users to share their login credentials. Widely adopted across web and mobile applications, OAuth allows third-party applications (clients) to access a user’s data stored on another service (resource server), with the user's explicit consent, and without ever exposing the user’s password.

‍

At its core, OAuth provides a framework for authorization rather than authentication. When a user wants to grant a third-party application access to their data—say, a photo printing service accessing images in their Google Drive—OAuth facilitates this access through access tokens issued by an authorization server. These tokens define the scope and duration of access, limiting what the third party can do and for how long.

‍

OAuth defines four key roles:

• Resource Owner: Typically the end-user
• Client: The third-party application requesting access
• Authorization Server: The system responsible for authenticating the user and issuing tokens
• Resource Server: The API or service hosting the protected resources

OAuth 2.0, the most widely used version today, supports various grant types (or flows), such as:

• Authorization Code Grant for server-side applications
• Implicit Grant (now deprecated) for browser-based apps
• Client Credentials Grant for machine-to-machine communication
• Device Code Grant for IoT and limited-input devices

OAuth is fundamental to many popular services including Google, Facebook, Microsoft, and GitHub, allowing users to "log in with" their existing credentials securely. Although it doesn’t handle user authentication directly, it forms the foundation for protocols like OpenID Connect, which adds an authentication layer.

‍

By separating authentication from authorization, OAuth enhances both security and usability, making it a cornerstone of modern identity and access management in distributed systems.

‍

Learn more about Nudge Security's approach to OAuth Risk Management →