OAuth (Open Authorisation) is an open-standard framework that allows a user to grant a third-party application limited access to their resources on another service — without sharing their password. It is the technology behind "Login with Google", "Sign in with GitHub", and similar social login buttons.
Authentication vs Authorisation
- Authentication — Verifying who you are ("Are you really Alice?"). Handled by OpenID Connect (OIDC), which is built on top of OAuth 2.0.
- Authorisation — Deciding what you are allowed to do ("Alice can read her calendar but not post tweets"). This is what OAuth 2.0 itself handles.
How OAuth 2.0 Works (Simplified)
- User clicks "Login with Google" on your app.
- Your app redirects to Google with a request specifying the scopes (permissions) needed (e.g. read profile, read email).
- Google authenticates the user and asks them to approve the requested permissions.
- Google redirects back to your app with an authorisation code.
- Your app exchanges the code (server-to-server) for an access token.
- Your app uses the access token to call Google APIs on behalf of the user.
Key OAuth Concepts
- Access token — A short-lived credential that grants access to specific resources.
- Refresh token — A longer-lived token used to obtain new access tokens without re-authentication.
- Scope — Defines the level of access requested (e.g.
email,read:user). - Client ID / Secret — Credentials that identify your application to the authorisation server.
OAuth 2.0 vs OAuth 1.0
OAuth 2.0 (2012) is simpler, relies on HTTPS for security instead of cryptographic signatures, and supports more grant types. OAuth 1.0 is largely obsolete.