OAuth 2.0

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification and its extensions are being developed within the IETF OAuth Working Group.

OAuth 2.0 Framework - RFC 6749
OAuth Grant Types
- Authorization Code
- PKCE
- Client Credentials
- Device Code
- Refresh Token
- Legacy: Implicit Flow
- Legacy: Password Grant
Client Types - Confidential and Public Applications
Client Authentication
Bearer Tokens - RFC 6750
Threat Model and Security Considerations - RFC 6819
OAuth Security Best Current Practice
ID Tokens vs Access Tokens

Mobile and Other Devices

Native Apps - Recommendations for using OAuth with native apps
Browser-Based Apps - Recommendations for using OAuth with browser-based apps (e.g. an SPA)
Device Authorization Grant - OAuth for devices with no browser or no keyboard

Token and Token Management

JWT Profile for Access Tokens - RFC 9068, a standard for structured access tokens
Token Introspection - RFC 7662, to determine the active state and meta-information of a token
Token Revocation - RFC 7009, to signal that a previously obtained token is no longer needed
JSON Web Token - RFC 7519
Token Exchange - RFC 8693

Discovery and Registration

Authorization Server Metadata - RFC 8414, for clients to discover OAuth endpoints and authorization server capabilities
Dynamic Client Registration - RFC 7591, to programmatically register OAuth clients
Dynamic Client Registration Management - Experimental RFC 7592, for updating and managing dynamically registered OAuth clients

High Security OAuth

These specs are used to add additional security properties on top of OAuth 2.0.

Pushed Authorization Requests (PAR) - RFC 9126
Demonstration of Proof of Possession (DPoP) - RFC 9449
Mutual TLS - RFC 8705
Private Key JWT - (RFC 7521, RFC 7521, OpenID)
FAPI

Experimental and Draft Specs

The specs below are either experimental or in draft status and are still active working group items. They will likely change before they are finalized as RFCs or BCPs.

Additional Extensions

OAuth Extension Parameter Registry
OAuth Assertions Framework - RFC 7521
SAML2 Bearer Assertion - RFC 7522, for integrating with existing identity systems
JWT Bearer Assertion - RFC 7523
Authorization Server Issuer Identification - RFC 9207, indicates the authorization server identifier in the authorization response
Rich Authorization Requests (RAR) - RFC 9396

Related Work from Other Communities

FAPI (OpenID Foundation)
WebAuthn - Web Authentication
passkeys are a new way to sign in to services without a password
HTTP Message Signatures - A generic HTTP message signing spec
OpenID for Verifiable Credentials

Community Resources

OAuth 2.0 Simplified
Books about OAuth
- OAuth 2.0 Simplified by Aaron Parecki
- OAuth 2 in Action by Justin Richer and Antonio Sanso
- Mastering OAuth 2.0 by Charles Bihis
- OAuth 2.0 Cookbook by Adolfo Eloy Nascimento
The Nuts and Bolts of OAuth - video course by Aaron Parecki

Protocols Built on OAuth 2.0

OpenID Connect (OpenID Foundation)
UMA 2.0 (Kantara)
IndieAuth (W3C)

Code and Services

OAuth 2.0 Code and Services

OAuth 2.1

OAuth 2.1 - An in-progress update to consolidate and simplify OAuth 2.0
It's Time for OAuth 2.1 (by Aaron Parecki)

Legacy

OAuth 1.0 and 1.0a

FAQs

Why is a bad idea to use OAuth 2.0 for authentication? ›

Perhaps the most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users' accounts. By stealing a valid code or token, the attacker may be able to access the victim's data.

Read On ›

What is OAuth 2.0 authentication in rest API? ›

OAuth 2.0 is a standard for implementing delegated authorization, and authorization is based on the access token required to access a resource. The access token can be issued for a given scope, which defines what the access token can do and what resources it can access.

Discover More Details ›

Is OAuth 2.0 an authentication protocol? ›

OAuth 2.0 is not an authentication protocol.

This article is intended to help potential identity providers with the question of how to build an authentication and identity API using OAuth 2.0 as the base. Essentially, if you're saying "I have OAuth 2.0, and I need authentication and identity", then read on.

What is the difference between basic authentication and oauth2? ›

Opposed to OAuth, Basic Authentication is a more straightforward, yet less secure method embedded within the HTTP framework. It involves transmitting a username and password with every request, often encoded in Base64. This method, while simple, risks exposing user credentials more openly.

See Details ›

Is OAuth2 obsolete? ›

It states that OAuth 2.0 is deprecated.

Find Out More ›

What is an example of OAuth 2.0 authentication? ›

OAuth 2.0 allows users to share specific data with an application while keeping their usernames, passwords, and other information private. For example, an application can use OAuth 2.0 to obtain permission from users to store files in their Google Drives. This OAuth 2.0 flow is called the implicit grant flow.

Tell Me More ›

Is OAuth 2.0 authentication or authorization? ›

Principles of OAuth2.0

OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user data. OAuth 2.0 uses Access Tokens.

Show Me More ›

Why is OAuth2 not authentication? ›

Authentication is ignored in OAuth2 and OIDC because it is a separate concern. This allows OAuth2 and OIDC to focus on the nitty gritty details of getting the resource owner to the authorization server as well as generating access and identity tokens.

Explore More ›

What is the most common form of OAuth2 authentication? ›

Authorization Code Grant is the most widely used grant type to authorize the client. In this scenario, the authorization server will return a single-use authorization code to the client, which is then exchanged for an access token.

Does OAuth require a password? ›

OAuth is an authentication protocol that allows two applications to communicate and share data without exposing the user's password. It uses a combination of security tokens and HTTP redirects to accomplish this.

Show Me More ›

How safe is OAuth? ›

OAuth is designed to work with Hypertext Transfer Protocol (HTTP). It uses access tokens to prove your identity and allow it to interact with another service on your behalf. In the event that this second service suffers a data breach, your credentials on the first service will remain safe.

Read The Full Story ›

Why is OAuth more secure than password? ›

When you compare both methods of authentication, OAuth 2.0 provides better security than basic authentication because its initial requests for credentials are made under the SSL protocol and its access object is a transitory token.

See Details ›

Can you use OAuth2 for authentication? ›

To authenticate using OAuth 2.0. Eloqua supports three possible flows that an application can use to obtain access on behalf of a resource owner: Authorization Code grant, Implicit grant, Resource Owner Password Credentials grant.

Get More Info Here ›

Why do you probably not need OAuth2 OpenID Connect? ›

OAuth2 is not an authentication (login) protocol!

The purpose of OAuth2 Tokens is to authorize requests at a first party server (or API). If the third party uses the OAuth2 Access Token as proof of authentication, an attacker could easily impersonate a legitimate user.

What problem does OAuth2 solve? ›

It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization. OAuth 2.0 provides consented access and restricts actions of what the client app can perform on resources on behalf of the user, without ever sharing the user's credentials.