oauth

OAuth Overview

OAuth, or OAuth, is an open standard for access delegation, commonly used as a way for users to grant third-party applications access to their resources on another service provider's website without sharing their login credentials. It allows users to share information stored on one site with another site without needing to disclose their access permissions or all their data.

History

OAuth was first published in 2007 by a group of developers including Blaine Cook, Chris Messina, and Larry Halff, who were looking for a solution to securely share data across sites.
OAuth 1.0 was released in 2010 but was found to have several issues, including complexity in implementation.
Due to these issues, OAuth 2.0 was introduced in October 2012 as an updated version, focusing more on simplicity and flexibility.

Core Concepts

Authorization Server: The service that issues access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
Resource Owner: The user who authorizes an application to access their account. The authorization is usually done via a user-agent (browser).
Client: The application requesting access to the resource. This could be a web app, a mobile app, or a server-side application.
Resource Server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
Access Token: A string representing an authorization issued to the client. It contains the necessary information to access resources without needing the user's credentials.
Refresh Token: A credential used to obtain a new access token when the current one expires.

Flows in OAuth 2.0

OAuth 2.0 defines several grant types or flows for different use cases:

Authorization Code Grant: Used for server-side applications where the client can securely store credentials. The user logs in, consents, and the client receives an authorization code which it exchanges for an access token.
Implicit Grant: Designed for clients implemented in a browser using a scripting language like JavaScript. The access token is returned immediately as part of the redirect URI.
Resource Owner Password Credentials Grant: Where the resource owner provides the client with their username and password directly, and the client uses these to obtain an access token.
Client Credentials Grant: Used by clients to obtain an access token outside of the context of a user, typically for service accounts.

Security Considerations

OAuth 2.0 has been designed with security in mind:

Access tokens are temporary, reducing the risk of token compromise.
Refresh tokens allow for long-term access without the need to store user credentials.
OAuth supports Proof Key for Code Exchange (PKCE) to prevent code interception attacks in mobile and native applications.

External Links

Recently Created Pages

Sirius (2025-05-10 19:56:45)
French-Departments (2025-05-09 19:56:37)
Galileo-Spacecraft (2025-05-09 02:46:54)
AWS-Shield (2025-05-09 02:46:30)
Palazzo-Vecchio (2025-05-09 02:46:01)
Deep-Impact (2025-05-09 02:45:34)
Error (2025-05-09 02:45:06)
Benefit-Cosmetics (2025-05-09 02:44:40)
karl-buch (2025-05-09 02:44:13)
The_Sims_4 (2025-05-09 02:43:49)
Generalitat_de_Catalunya (2025-05-09 02:43:27)
Haussmann_s-renovation-of-Paris (2025-05-09 02:43:05)
Eugene-Boudin (2025-05-09 02:42:39)
Surface (2025-05-09 02:42:09)
Continental-Europe (2025-05-09 02:41:43)
spatial-computing (2025-05-09 02:41:22)
B-24-Liberator (2025-05-09 02:40:45)
Television_Advertising (2025-05-09 02:40:24)
Scarlet-Macaw (2025-05-09 02:39:49)
Holy_Roman_Empire (2025-05-09 02:39:25)

Grok-Pedia