TL;DR

  • OAuth is a delegation protocol; authentication is layered on top.
  • The authorization code flow is the standard for web apps.
  • The client exchanges a code for tokens, then calls APIs.

How OAuth 2.0 Works (High Level)

  1. Client requests authorization from the user.
  2. User authenticates with the provider and grants consent.
  3. Client receives an authorization code.
  4. Client exchanges the code for tokens.
  5. Client uses the access token to call APIs.

Key Actors

  • Client application
  • Resource owner (user)
  • Authorization server
  • Resource server (API)
  • User agent (browser/device)

Notes

  • For authentication, use OpenID Connect on top of OAuth.
  • Always validate state and nonce to prevent CSRF and replay.