OAuth
OAuth (Open Authorization) is an open standard protocol that allows users to grant third-party applications limited access to their resources on another service—without sharing their credentials. It’s commonly used for secure delegated access, such as allowing a web app to post to a user’s social media account or access cloud storage on their behalf.
Also known as: OAuth 2.0 (current version), Authorization framework
Comparisons
- OAuth vs. API Key: API keys are static credentials, while OAuth provides time-limited, scope-specific tokens.
- OAuth vs. OpenID Connect: OAuth handles authorization, whereas OpenID Connect extends it for user authentication.
Pros
- Enhanced security: Keeps user passwords confidential by using access tokens.
- Granular control: Tokens can be scoped and time-limited.
- Widely supported: Used by platforms like Google, Facebook, GitHub, and Microsoft.
Cons
- Complex to implement: Requires understanding multiple flows and token types.
- Token management overhead: Requires secure storage and timely refresh of tokens.
Example
When logging into a web app using your Google account, you are redirected to Google for authentication. You then grant permission for the app to access certain Google services (like contacts or calendar). The app receives an OAuth access token, which it uses to interact with Google API's—without ever knowing your Google password.