OAuth 2.0 is an authorization framework that lets a third-party application obtain limited access to a user’s account on some HTTP service without the user handing over a password. It is the machinery behind the familiar “log in with” or “connect your account” buttons, where a user grants one site permission to read or act on data held by another. The framework is defined in RFC 6749, “The OAuth 2.0 Authorization Framework,” published by the IETF in October 2012 and edited by Dick Hardt.
The RFC frames the problem it solves directly: in the traditional client-server model, a client requesting a protected resource authenticates with the server using the resource owner’s credentials, which means giving third-party applications the owner’s password. OAuth introduces an authorization layer that separates the role of the client from that of the resource owner. Instead of using the owner’s credentials, the client obtains an access token, “a string denoting a specific scope, lifetime, and other access attributes,” and presents that token to the resource server to get at the protected resource.
OAuth 2.0 defines four roles: the resource owner (typically the end user), the resource server that hosts the protected resources, the client application, and the authorization server that issues access tokens after authenticating the owner and getting their consent. Tokens carry scopes that bound what the client may do, so a user can grant read-only access to their photos without surrendering full control of their account.
To obtain a token, the client first gets an authorization grant, and the specification defines four grant types: authorization code, implicit, resource owner password credentials, and client credentials. The authorization code grant, which redirects the user to the authorization server and exchanges a short-lived code for a token, became the dominant flow for web and mobile applications.
OAuth 2.0 is deliberately an authorization framework rather than a complete protocol, and the RFC notes that it relies on other mechanisms, such as TLS, for confidentiality. That generality made it the foundation for a large ecosystem. It is the base on which OpenID Connect builds an identity layer, and its access tokens are frequently carried as JSON Web Tokens.