What is OAuth 2.0 and what does it do for you? - Auth0 (2024)

Table of Contents
Principles of OAuth2.0 OAuth2.0 Roles OAuth 2.0 Scopes OAuth 2.0 Access Tokens and Authorization Code How Does OAuth 2.0 Work? Grant Types in OAuth 2.0 Want to learn more? FAQs
  • Intro to IAM
  • What is OAuth 2.0?

OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization. OAuth 2.0 provides consented access and restricts actions of what the client app can perform on resources on behalf of the user, without ever sharing the user's credentials.

Although the web is the main platform for OAuth 2, the specification also describes how to handle this kind of delegated access to other client types (browser-based applications, server-side web applications, native/mobile apps, connected devices, etc.)

Principles of OAuth2.0

OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user data.

OAuth 2.0 uses Access Tokens. An Access Token is a piece of data that represents the authorization to access resources on behalf of the end-user. OAuth 2.0 doesn’t define a specific format for Access Tokens. However, in some contexts, the JSON Web Token (JWT) format is often used. This enables token issuers to include data in the token itself. Also, for security reasons, Access Tokens may have an expiration date.

OAuth2.0 Roles

The idea of roles is part of the core specification of the OAuth2.0 authorization framework. These define the essential components of an OAuth 2.0 system, and are as follows:

  • Resource Owner: The user or system that owns the protected resources and can grant access to them.

    See Also
    OAuth 2.0 — OAuthWhat is OAuth (Open Authorization) and how does it work? | Definition from TechTargetOAuth 1.0a Authorization Header | Reference MaterialOAuth 2.0 Authorization Framework

  • Client: The client is the system that requires access to the protected resources. To access resources, the Client must hold the appropriate Access Token.

  • Authorization Server: This server receives requests from the Client for Access Tokens and issues them upon successful authentication and consent by the Resource Owner. The authorization server exposes two endpoints: the Authorization endpoint, which handles the interactive authentication and consent of the user, and the Token endpoint, which is involved in a machine to machine interaction.

  • Resource Server: A server that protects the user’s resources and receives access requests from the Client. It accepts and validates an Access Token from the Client and returns the appropriate resources to it.

OAuth 2.0 Scopes

Scopes are an important concept in OAuth 2.0. They are used to specify exactly the reason for which access to resources may be granted. Acceptable scope values, and which resources they relate to, are dependent on the Resource Server.

OAuth 2.0 Access Tokens and Authorization Code

The OAuth 2 Authorization server may not directly return an Access Token after the Resource Owner has authorized access. Instead, and for better security, an Authorization Code may be returned, which is then exchanged for an Access Token. In addition, the Authorization server may also issue a Refresh Token with the Access Token. Unlike Access Tokens, Refresh Tokens normally have long expiry times and may be exchanged for new Access Tokens when the latter expires. Because Refresh Tokens have these properties, they have to be stored securely by clients.

How Does OAuth 2.0 Work?

At the most basic level, before OAuth 2.0 can be used, the Client must acquire its own credentials, a _client id _ and client secret, from the Authorization Server in order to identify and authenticate itself when requesting an Access Token.

Using OAuth 2.0, access requests are initiated by the Client, e.g., a mobile app, website, smart TV app, desktop application, etc. The token request, exchange, and response follow this general flow:

  1. The Client requests authorization (authorization request) from the Authorization server, supplying the client id and secret to as identification; it also provides the scopes and an endpoint URI (redirect URI) to send the Access Token or the Authorization Code to.

  2. The Authorization server authenticates the Client and verifies that the requested scopes are permitted.

    See Also
    Signing Requests | OAuth1

  3. The Resource owner interacts with the Authorization server to grant access.

  4. The Authorization server redirects back to the Client with either an Authorization Code or Access Token, depending on the grant type, as it will be explained in the next section. A Refresh Token may also be returned.

  5. With the Access Token, the Client requests access to the resource from the Resource server.

Grant Types in OAuth 2.0

In OAuth 2.0, grants are the set of steps a Client has to perform to get resource access authorization. The authorization framework provides several grant types to address different scenarios:

  • Authorization Code grant: The Authorization server returns a single-use Authorization Code to the Client, which is then exchanged for an Access Token. This is the best option for traditional web apps where the exchange can securely happen on the server side. The Authorization Code flow might be used by Single Page Apps (SPA) and mobile/native apps. However, here, the client secret cannot be stored securely, and so authentication, during the exchange, is limited to the use of client id alone. A better alternative is the Authorization Code with PKCE grant, below.

  • Implicit Grant: A simplified flow where the Access Token is returned directly to the Client. In the Implicit flow, the authorization server may return the Access Token as a parameter in the callback URI or as a response to a form post. The first option is now deprecated due to potential token leakage.

  • Authorization Code Grant with Proof Key for Code Exchange (PKCE): This authorization flow is similar to the Authorization Code grant, but with additional steps that make it more secure for mobile/native apps and SPAs.

  • Resource Owner Credentials Grant Type: This grant requires the Client first to acquire the resource owner’s credentials, which are passed to the Authorization server. It is, therefore, limited to Clients that are completely trusted. It has the advantage that no redirect to the Authorization server is involved, so it is applicable in the use cases where a redirect is infeasible.

  • Client Credentials Grant Type: Used for non-interactive applications e.g., automated processes, microservices, etc. In this case, the application is authenticated per se by using its client id and secret.

  • Device Authorization Flow: A grant that enables use by apps on input-constrained devices, such as smart TVs.

  • Refresh Token Grant: The flow that involves the exchange of a Refresh Token for a new Access Token.

Want to learn more?

Keep reading at our Intro to IAM page to explore more topics around Identity and Access Management.

Table of contents

  • Principles of OAuth2.0
  • OAuth2.0 Roles
  • OAuth 2.0 Scopes
  • OAuth 2.0 Access Tokens and Authorization Code
  • How Does OAuth 2.0 Work?
  • Grant Types in OAuth 2.0

Get guide to Oauth 2.0

Download the guide on Oauth 2.0 and OpenID connect.

Download the ebook

Quick assessment

In OAuth 2, which authorization flow/grant type is best to use with a traditional web app?

Quick assessment

In an OAuth2 authorization request, in addition to the client id, what is also submitted to the authorization server?

What is OAuth 2.0 and what does it do for you? - Auth0 (2024)

FAQs

What is OAuth 2.0 and what does it do for you? - Auth0? ›

The OAuth 2.0 authorization framework is a protocol that allows a user to grant a third-party web site or application access to the user's protected resources, without necessarily revealing their long-term credentials or even their identity.

Read On
What is OAuth 2.0 and Auth0? ›

In summary, Auth0 is an identity and access management platform that leverages OAuth as a key component of its service. Auth0 uses OAuth 2.0 to handle authorization and token-based access control, while also providing a range of features to manage user identities and authentication.

Discover More Details
What is Auth0 and how does it work? ›

Auth0 is a flexible, drop-in solution to add authentication and authorization services to your applications. Your team and organization can avoid the cost, time, and risk that come with building your own solution to authenticate and authorize users.

Continue Reading
Why is a bad idea to use OAuth 2.0 for authentication? ›

Leaking authorization codes and access tokens. Perhaps the most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users' accounts.

See Details
What is the purpose of the authorization code in OAuth2? ›

The OAuth 2.0 authorization code grant type, or auth code flow, enables a client application to obtain authorized access to protected resources like web APIs. The auth code flow requires a user-agent that supports redirection from the authorization server (the Microsoft identity platform) back to your application.

Find Out More
Why do people use Auth0? ›

Auth0 is a platform companies and web developers use to verify a user's identity before giving them access to websites and applications. It's a flexible, secure, and user-friendly way to let genuine customers in while keeping malicious and fraudulent parties out.

Tell Me More
How does OAuth 2.0 work in Rest API? ›

OAuth 2.0 is a standard for implementing delegated authorization, and authorization is based on the access token required to access a resource. The access token can be issued for a given scope, which defines what the access token can do and what resources it can access.

Show Me More
What is the secret key of Auth0? ›

Auth0 has the secret key, which is used to generate the signature, and the consumer of the JWT has the public key, which is used to validate the signature. HS256 is a symmetric algorithm which means that there is only one secret key, shared between the two parties.

Explore More
What are the benefits of Autho? ›

It simplifies the user authorization process, which can be used to access multiple services without having to enter separate credentials each time. This means that users don't have to remember different passwords or go through time-consuming logins every time they use an application.

Continue Reading
Is Auth0 the same as Okta? ›

Auth0 and Okta are enterprise IAM solutions that have comprehensive features, but solve two different problems. Auth0 provides authentication and authorization for custom applications, and Okta is an enterprise-grade IAM platform.

Show Me More

What problem does OAuth2 solve? ›

It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization. OAuth 2.0 provides consented access and restricts actions of what the client app can perform on resources on behalf of the user, without ever sharing the user's credentials.

Read The Full Story
What is an example of OAuth 2.0 authentication? ›

OAuth 2.0 allows users to share specific data with an application while keeping their usernames, passwords, and other information private. For example, an application can use OAuth 2.0 to obtain permission from users to store files in their Google Drives. This OAuth 2.0 flow is called the implicit grant flow.

See Details
When should I use OAuth2? ›

If you want to enable other companies and developers to access the data of your users with their consent, then OAuth2 and OpenID Connect are essential. OAuth2 enables users to grant consent to third-party applications to access their data, providing a secure way to authenticate user requests.

Get More Info Here
What is Auth0 vs OAuth? ›

OAuth is primarily focused on enabling authorization for APIs. Auth0 and OAuth can be used together to build secure and scalable authentication and authorization solutions. OAuth can be used to grant access to APIs, while Auth0 can be used to manage the authentication and authorization process for your applications.

Continue Reading
How does Auth0 authorization work? ›

How Authorization Code Flow works. User selects Login within application. Auth0's SDK sends authorization code, application's client ID, and application's credentials, such as client secret or Private Key JWT, to Auth0 Authorization Server ( /oauth/token endpoint).

View More
What is the difference between authentication and authorization in Auth0? ›

In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to. Comparing these processes to a real-world example, when you go through security in an airport, you show your ID to authenticate your identity.

View Details
What is OAuth 2.0 in simple terms? ›

OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user.

See More
What is the difference between okta and Auth0? ›

With Auth0, developers can link any app, no matter what programming language or technology it uses. They can also pick the integrations they want to use. On the other hand, Okta uses simple building blocks called Platform Services that users can combine to create new features.

Learn More
Does Auth0 use OAuth or SAML? ›

Auth0 supports the SAML protocol and can serve as the IdP, the SP, or both including: SAML2 web applications.

Discover More Details
Is Auth0 and JWT the same? ›

In conclusion, Auth0 and JWT are two different approaches to handling authentication and authorization in web application and APIs. Auths is a complete platform and self-contained way to securely transmit information between parties. Depending on your needs and preferences, you may choose to use one, the other or both.

Show Me More
Top Articles
The Upcoming Future of Software Testers and SDETs in 2021
Metamask, OpenSea bars Iranian and Venezuelian users after Russia’s attack on Ukraine
Homes For Rent On Craigslist
Uncensored Wisconsin Volleyball Photos
Geodis Logistic Joliet/Topco
Kralovna Slovenskeho Twitter
Posh Mama Onion Water
[PDF] Business Fundamentals - Free Download PDF
Sharon Laday Golden Seed
Kentucky Fried Chicken Open Today
Latest Posts
How to Buy Bitcoin in Japan | Buy BTC with JPY with Credit & Debit Card Online Instantly
Your ATM Withdrawal Limit | Capital One Help Center
Article information

Author: Ray Christiansen

Last Updated:

Views: 6146

Rating: 4.9 / 5 (49 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Ray Christiansen

Birthday: 1998-05-04

Address: Apt. 814 34339 Sauer Islands, Hirtheville, GA 02446-8771

Phone: +337636892828

Job: Lead Hospitality Designer

Hobby: Urban exploration, Tai chi, Lockpicking, Fashion, Gunsmithing, Pottery, Geocaching

Introduction: My name is Ray Christiansen, I am a fair, good, cute, gentle, vast, glamorous, excited person who loves writing and wants to share my knowledge and understanding with you.