What is OAuth?
OAuth (Open Authorization) is an open standard authorization framework that allows third-party applications to access a user's resources on another service without exposing the user's credentials. Instead of sharing passwords, OAuth uses access tokens with defined scopes and expiration times to grant limited access. OAuth 2.0, the current version, is the industry-standard protocol used by platforms like Google, GitHub, Microsoft, and thousands of other API providers.
How OAuth 2.0 Works
OAuth 2.0 defines several grant types (authorization flows) for different use cases. The most common is the Authorization Code flow: a user clicks "Sign in with GitHub," is redirected to GitHub's authorization server, logs in and grants permission, and is redirected back to the application with an authorization code. The application exchanges this code for an access token (and optionally a refresh token) by making a server-side request. The access token is then used to make authenticated API requests on behalf of the user.
OAuth Roles and Scopes
OAuth defines four roles: the Resource Owner (the user), the Client (the third-party application), the Authorization Server (issues tokens), and the Resource Server (hosts the protected API). Scopes define the level of access being requested — for example, read:user might allow reading profile information while repo grants access to repositories. Users can review and approve the requested scopes before granting access, maintaining control over what data third-party applications can access.
OAuth in Practice
Implementing OAuth correctly requires careful attention to security. Applications must validate redirect URIs to prevent authorization code interception. The PKCE (Proof Key for Code Exchange) extension is now recommended for all clients, including server-side applications, to mitigate code injection attacks. Access tokens should be short-lived, and refresh tokens should be stored securely and rotated on use. State parameters prevent cross-site request forgery. While OAuth is powerful, its complexity means most developers rely on well-tested libraries and identity providers rather than implementing the protocol from scratch.