OAuth (Open Authorization)

OAuth enables secure third-party access to user resources without sharing passwords, forming the backbone of modern API security and single sign-on.

Why it matters

• Eliminates password sharing between applications, reducing credential exposure.
• Enables granular permission scopes, limiting what third-party apps can access.
• Required for enterprise identity federation and API ecosystem security.
• Foundation for modern authentication protocols like OpenID Connect (OIDC).

How it works

• Authorization Grant: User approves access via consent screen.
• Access Token: Short-lived credential for API requests.
• Refresh Token: Long-lived token to obtain new access tokens.
• Scopes: Define specific permissions (read email, access calendar).
• Authorization Server: Issues tokens after validating user consent.

Common OAuth flows

• Authorization Code Flow: Most secure, used for web and mobile apps.
• Client Credentials Flow: Service-to-service authentication.
• Implicit Flow: Legacy browser-based flow (deprecated).
• PKCE Extension: Protects authorization code flow from interception.

Security considerations

• Always validate redirect URIs to prevent token theft.
• Use PKCE for mobile and single-page applications.
• Implement token rotation and expiration policies.
• Monitor for unusual authorization patterns or scope requests.