What it is
OAuth 2.0 is a widely adopted framework for delegated authorization. It allows third-party applications to access a user’s resources, such as email, contacts, or cloud files, without ever seeing the user’s credentials. Instead of sharing passwords, OAuth 2.0 relies on access tokens issued by an authorization server, which define what resources can be accessed and for how long.
For example, when you sign in to a new service using your Google or Microsoft account, OAuth 2.0 handles the behind-the-scenes trust exchange. It issues short-lived tokens to the requesting app while keeping your credentials safely within the identity provider.
The framework defines multiple grant types (Authorization Code, Client Credentials, Implicit, and Device Code) to accommodate different use cases, from web apps to IoT devices. However, OAuth 2.0 itself does not handle authentication directly; OpenID Connect extends it to verify user identity.
Why it matters
OAuth 2.0 simplifies user experience while improving security by eliminating password reuse across services. Yet, improper implementation, such as insecure token storage or weak redirect validation, can lead to authorization bypasses or data leaks. Attackers often exploit misconfigured OAuth flows to impersonate users or steal tokens.
How to reduce risk
- Always use HTTPS for all OAuth interactions.
- Validate redirect URIs and enforce strict scopes.
- Store tokens securely and use refresh tokens with short expiration.
- Pair OAuth with OpenID Connect for identity assurance.
- Regularly review third-party app permissions and revoke unused ones.