Back to Overview

OAuth

security authentication web api

What is OAuth?

OAuth is a way to let apps use your information from other websites without giving them your password. Instead of sharing your username and password, OAuth is what makes “Login with Google” or “Login with Facebook” buttons work, and it helps keep your accounts secure.

Simple Analogy

  • Think of OAuth like a hotel key card system::
    1. You check into a hotel (the website like Google or Facebook), the hotel verifies your identity once at check-in and then gives you a special key card (access token) that only opens specific doors.

    1. When a valet (third-party app) needs to park your car, you don’t give them your room key
    2. Instead, the hotel gives the valet a limited-use valet key (specific token) that:
      • Only works for a specific purpose (parking your car)
      • Only works for a limited time (expiration)
      • Doesn’t give access to your room (limited scope)
      • Can be revoked without changing your main key

How OAuth Works

  1. Request: An app asks for permission to access some of your data on another service
  2. Redirect: You’re sent to the service that has your data (like Google)
  3. Authentication: You log in to that service (if not already logged in)
  4. Permission: You see what the app is requesting and can approve or deny
  5. Authorization: If you approve, the service gives the app a special access token
  6. Access: The app uses this token to access only the specific data you approved

Key Concepts

  • Resource Owner: You - the person who owns the data
  • Client: The app that wants to use your data
  • Authorization Server: The website that gives out the special keys (like Google)
  • Resource Server: The website that has your data
  • Access Token: The special key that lets the app use your data
  • Scope: What the app is allowed to do with your data
  • Consent: When you say “yes” to letting the app use your data

Example

When you use a photo printing app that needs access to your Google Photos:

  1. The app redirects you to Google
  2. You log in to your Google account
  3. Google asks if you want to give the app access to your photos (but not your emails or documents)
  4. If you approve, Google gives the app a temporary access token
  5. The app uses this token to access just your photos