image de chargement
Back to glossary

OAuth 2.0

Authorization framework enabling third-party applications to access user resources without exposing credentials.

Updated on January 12, 2026

OAuth 2.0 is the industry-standard authorization protocol that enables users to grant limited access to their resources without sharing passwords. Unlike authentication which verifies identity, OAuth 2.0 focuses on delegated authorization, allowing third-party applications to act on behalf of a user with specific permissions. This protocol is massively adopted by Google, Facebook, GitHub, and virtually all modern web services to manage secure access.

Protocol Fundamentals

  • Role separation: Resource Owner (user), Client (application), Authorization Server, and Resource Server (protected API)
  • Usage of temporary access tokens rather than direct user credentials
  • Four main authorization flows: Authorization Code, Implicit, Resource Owner Password Credentials, and Client Credentials
  • Granular scopes precisely defining permissions granted to the client application

Strategic Benefits

  • Enhanced security: passwords are never shared with third-party applications
  • Granular control: users can revoke access anytime without changing their password
  • Seamless user experience: quick login via existing accounts (Google, Facebook, etc.)
  • Standardization: uniform implementation facilitating integration between heterogeneous systems
  • Scalability: stateless architecture enabling millions of simultaneous authorizations

Practical Example: Authorization Code Flow

The Authorization Code flow is the most secure and recommended for web applications. Here's a TypeScript server-side implementation using Express and the Passport library:

oauth-server.ts
import express from 'express';
import passport from 'passport';
import { Strategy as OAuth2Strategy } from 'passport-oauth2';

const app = express();

// OAuth 2.0 strategy configuration
passport.use('oauth2', new OAuth2Strategy({
  authorizationURL: 'https://provider.com/oauth/authorize',
  tokenURL: 'https://provider.com/oauth/token',
  clientID: process.env.CLIENT_ID!,
  clientSecret: process.env.CLIENT_SECRET!,
  callbackURL: 'https://myapp.com/auth/callback',
  scope: ['read:user', 'read:email']
},
async (accessToken, refreshToken, profile, done) => {
  try {
    // Find or create user in database
    const user = await findOrCreateUser({
      providerId: profile.id,
      accessToken,
      refreshToken
    });
    return done(null, user);
  } catch (error) {
    return done(error);
  }
}));

// Authentication initiation route
app.get('/auth/login',
  passport.authenticate('oauth2'));

// Callback route after authorization
app.get('/auth/callback',
  passport.authenticate('oauth2', { failureRedirect: '/login' }),
  (req, res) => {
    // Authentication successful
    res.redirect('/dashboard');
  }
);

// Using token to access resources
app.get('/api/profile', async (req, res) => {
  const token = req.user.accessToken;
  const response = await fetch('https://api.provider.com/user', {
    headers: { 'Authorization': `Bearer ${token}` }
  });
  const data = await response.json();
  res.json(data);
});

OAuth 2.0 Implementation

  1. Register your application with the OAuth provider to obtain client_id and client_secret
  2. Define necessary scopes based on resources you need to access
  3. Implement the appropriate authorization flow (Authorization Code recommended for web apps)
  4. Configure redirect URL (callback) securely (HTTPS mandatory)
  5. Manage secure token storage (encrypted at rest, never exposed client-side)
  6. Implement automatic token refresh using refresh_token
  7. Set up robust error handling and retry strategy
  8. Regularly audit granted permissions and revoke unused access

Professional Security Tip

Always use PKCE (Proof Key for Code Exchange) even for confidential applications. This OAuth 2.0 extension protects against authorization code interception attacks. Store client_secret in a secrets manager (HashiCorp Vault, AWS Secrets Manager) and never in source code. Implement regular token rotation and limit their lifetime to the strict minimum required.

Related Tools and Libraries

  • Passport.js (Node.js): authentication middleware supporting 500+ OAuth strategies
  • Spring Security OAuth (Java): comprehensive framework for authorization servers and clients
  • Authlib (Python): complete OAuth library for Flask and Django
  • IdentityServer (C#/.NET): certified OAuth 2.0 and OpenID Connect server
  • Auth0, Okta, Keycloak: Identity-as-a-Service solutions with integrated OAuth 2.0
  • Postman, Insomnia: API testing tools with native OAuth 2.0 support
  • OAuth 2.0 Playground: Google tool to experiment with OAuth flows

OAuth 2.0 establishes itself as the backbone of modern API security and the platform economy. By enabling controlled resource sharing, it drastically reduces risks of massive compromise while facilitating innovation through third-party integrations. For organizations, mastering OAuth 2.0 is no longer optional: it's a prerequisite for any secure cloud-native architecture and to comply with regulations like GDPR that require granular control over personal data access.

Related terms

Themoneyisalreadyonthetable.

In 1 hour, discover exactly how much you're losing and how to recover it.

Agence de développement web, automatisation & IA

contact@peaklab.fr
Follow us

© PeakLab 2025

Mentions légalesPolitique de confidentialitéPlan du site