Wednesday, 26 February 2025

OAuth 2.0 (Open Authorization 2.0) - An Overview

OAuth2:

OAuth 2.0 (Open Authorization 2.0) is an industry-standard protocol for secure authorization and access delegation. It allows applications to access resources on behalf of a user without sharing their username and password.

OAuth2 is widely used for API security, enabling single sign-on (SSO), third-party logins, and secure API access.

Key Features of OAuth 2.0:

  • Token-Based Authentication – Uses access tokens instead of passwords.
  • Delegated Authorization – Grants limited access to third-party apps.
  • Supports Multiple Flows – Works for web apps, mobile apps, and APIs.
  • Secure & Scalable – Prevents unauthorized access with scopes & expiration.
  • Used by Major Platforms – Google, Facebook, Microsoft, AWS, and more.

How OAuth 2.0 Works (Simplified Flow):

  • User Requests Access → A user tries to log in to an application via Google, Facebook, etc.
  • Authorization Request → The app redirects the user to an Authorization Server (e.g., Google OAuth).
  • User Grants Permission → The user approves access to their data (e.g., email, contacts).
  • Authorization Server Issues a Token → The app gets an Access Token (temporary key).
  • Application Accesses Resources → The app uses the token to fetch user data without needing the password.

OAuth 2.0 Grant Types (Authorization Flows)

Flow Type

Use Case

Example

Authorization Code Flow

Secure login for web apps & APIs.

Google Sign-In for websites.

Implicit Flow

Used in legacy single-page applications (SPA).

Browser-based apps.

Client Credentials Flow

Machine-to-machine authentication (M2M).

API integrations between systems.

Password Grant

Allows login with username/password (not recommended).

Internal enterprise applications.

Refresh Token

Extends access without requiring user login again.

Mobile apps keeping sessions active.

OAuth 2.0 vs. Other Authentication Methods

Method

Authentication Type

Use Case

Basic Authentication

Username & password.

Legacy applications.

OAuth 2.0

Token-based access.

Modern web & mobile apps, API security.

API Key

Static key in headers.

Simple API access, not user specific.

SAML (Security Assertion Markup Language)

XML-based SSO authentication.

Enterprise-level authentication.

Where is OAuth 2.0 Used?

  • Social Media Login – "Sign in with Google/Facebook/LinkedIn."
  • API Security – RESTful APIs in cloud & SaaS applications.
  • Mobile & Web Apps – Securing third-party app access to user data.
  • IoT & Machine-to-Machine (M2M) – Device authentication.

 

at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

E-Invoicing (Electronic Invoicing) - An Overview

E-Invoicing (Electronic Invoicing): E-Invoicing (Electronic Invoicing) is the digital exchange of invoices between businesses, government ...