OAuth 2.0 Overview
Understanding the OAuth 2.0 authorization framework and how OAuth42 implements it for secure, delegated access to protected resources.
What is OAuth 2.0?
OAuth 2.0 is an industry-standard authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access that user account.
OAuth 2.0 provides authorization flows for web applications, desktop applications, mobile phones, and IoT devices. It's designed to provide specific authorization flows for different types of applications while remaining simple for developers to implement.
Key Concept
OAuth 2.0 is about authorization, not authentication. While it can be used as part of an authentication system (via OpenID Connect), OAuth 2.0 itself is designed to grant limited access to resources.
Key Terminology
Resource Owner
The user who owns the data and can grant access to it. For example, you are the resource owner of your email account.
Client
The application that wants to access the user's data. This could be a web app, mobile app, or desktop application.
Authorization Server
The server that authenticates the resource owner and issues access tokens after getting proper authorization. OAuth42 is your authorization server.
Resource Server
The API server that hosts the protected user data. The resource server accepts and validates access tokens.
Access Token
A credential that can be used by the client to access protected resources. Tokens are typically short-lived and have a defined scope of access.
Refresh Token
A credential used to obtain new access tokens without requiring the user to re-authenticate. Refresh tokens are long-lived and should be stored securely.
OAuth 2.0 Grant Types
OAuth 2.0 defines several grant types (flows) for different use cases. OAuth42 supports the following:
Authorization Code Grant (with PKCE)Recommended
The most secure and flexible grant type, suitable for server-side web apps, mobile apps, and single-page applications.
How it works:
- Client redirects user to authorization server with a code challenge (PKCE)
- User authenticates and grants permission
- Authorization server redirects back with an authorization code
- Client exchanges the code (and code verifier) for tokens
Client Credentials Grant
Used for machine-to-machine (M2M) authentication where no user is involved. Perfect for backend services, cron jobs, and server-to-server communication.
How it works:
- Client authenticates directly with client ID and secret
- Authorization server issues an access token
- No user interaction required
Refresh Token Grant
Used to obtain new access tokens when the current token expires, without requiring the user to re-authenticate.
How it works:
- Client receives a refresh token along with the initial access token
- When access token expires, client sends refresh token to token endpoint
- Authorization server validates refresh token and issues new tokens
Security Best Practices
Always Use PKCE
Proof Key for Code Exchange (PKCE) prevents authorization code interception attacks. OAuth42 requires PKCE for all authorization code flows.
Use State Parameter
Always include a random state parameter in authorization requests to prevent CSRF attacks. Verify the state value when handling the callback.
Validate Redirect URIs
Register exact redirect URIs in your OAuth client configuration. OAuth42 validates all redirect URIs to prevent open redirect vulnerabilities.
Store Tokens Securely
Never store tokens in local storage or cookies accessible to JavaScript. Use secure, HTTP-only cookies or secure storage mechanisms provided by your platform.
Next Steps
OpenID Connect
Learn about OIDC, the identity layer built on top of OAuth 2.0
PKCE Implementation
Deep dive into implementing PKCE for secure authorization flows
Tokens and Sessions
Understand token lifecycle, refresh strategies, and session management
Quick Start Guide
Get started with OAuth42 in 5 minutes with code examples