What is OAuth 2.0

This document provides a brief description of what types of problems that OAuth 2.0 solves.

Important: Many companies use OAuth 2.0 for authentication, however, it is really intended as an authorization protocol. We recommend using OpenIDConnect in lieu of OAuth 2.0 as it is specifically designed to handle authentication, but since OpenIDConnect is based on OAuth 2.0, it is helpful to understand how it works and to use it as a knowledge base upon which we'll use to better understand OpenIDConnect.

Overview

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

What is the purpose of this?

OAuth 2.0 provides a mechanism by which different services on the Internet can inter-operate and share data and resources, without compromising a user's credentials. For instance, if you wanted one application, such as Yelp.com to be able to access your Gmail account's contact list, but didn't want Yelp to be able to log into your Gmail account and read your emails, or personal images, etc.

How does it do this?

The actual protocol is shown below. It is important to get an understanding of this because OpenID Connect is really just a specialization of OAuth.