OAuth (Open Authorization) is a protocol that enables individuals to permit third-party applications to access resources on another website without sharing login credentials.

Apps and websites use OAuth to allow users to access services without creating an account for each platform. A good example is logging into various sites with your Facebook, Apple, and Google accounts.

How OAuth Works

  1. User grants third-party access: Initiated by a third-party OAuth request for permissions.
  2. User permission prompt: Website/app holding resources prompts user permission for third-party access.
  3. OAuth access token issuance: The access token is sent to a third-party platform upon user consent.
  4. Resource access: The third-party platform can access user-approved resources. Users can revoke access anytime.

Examples of OAuth

Types of Grants on OAuth

OAuth 1.0 vs. OAuth 2.0

Unlike OAuth 1.0, OAuth 2.0 separates roles like the client, authorization server, resource server, and resource owner. It also doesn’t require generating signatures for message security and relies on SSL/TLS and HTTPs for communication.

OAuth 2.0 also has a short lifespan and doesn’t require reauthorization since it uses refresh tokens to acquire new access tokens.

OAuth 2.0 provides particular use sub-flows, which are designed for different types of processes, including mobile and web applications, desktops, living room devices, and API-based services residing in non-browser environments.

SAML vs. OAuth

OAuth is an authorization protocol, while SAML is a federated authentication protocol to enhance enterprise security.

SAML focuses on user-centric access control, while OAuth emphasizes application-centric authentication. The former uses XML for message exchange, while the latter uses JSON.