OAuth
Definition
Open Authorization - a secure standard for API access that allows users to grant third-party applications limited access without sharing their passwords.
Use Cases
- Google: Allowing third-party apps to access a user's Google data (e.g., Gmail, Calendar, Drive) without sharing the user's password — Google operates an OAuth 2.0 authorization server. Users grant consent on Google’s authorization screen; apps receive authorization codes and exchange them for access tokens (and optionally refresh tokens) scoped to specific APIs. (Enables secure delegated access with user consent and limited scopes, reducing password sharing and allowing users/admins to review and revoke third-party access.)
- GitHub: Letting developer tools and SaaS apps sign users in and access GitHub resources (e.g., repositories, issues) via delegated authorization — GitHub provides OAuth Apps and GitHub Apps. OAuth flows issue tokens with defined scopes; GitHub Apps can use more granular permissions and short-lived tokens for API access. (Improves security and user experience by enabling scoped, revocable access for integrations while avoiding credential sharing.)
- Spotify: Allowing users to sign in and grant third-party apps access to Spotify account data and playback controls — Spotify implements OAuth 2.0 authorization code flow. Users authenticate and consent; apps receive access tokens with scopes such as reading playlists or controlling playback. (Supports a large ecosystem of integrations with controlled, permission-based access and a smoother login experience.)
Provider Equivalents
- AWS: Amazon Cognito
- Azure: Microsoft Entra ID (Azure AD)
- GCP: Identity Platform
- OCI: OCI Identity and Access Management (IAM) Identity Domains
Frequently Asked Questions
- What's the difference between OAuth and OpenID Connect (OIDC)?
- OAuth 2.0 is mainly for authorization—granting an app permission to call an API using access tokens. OpenID Connect (OIDC) is an identity layer on top of OAuth 2.0 that adds authentication—proving who the user is—by returning an ID token with user identity claims. In practice: use OAuth to access APIs; use OIDC when you also need user sign-in.
- When should I use OAuth?
- Use OAuth when an application needs delegated, limited access to an API on behalf of a user or service without sharing passwords. Common cases include: 'Sign in with Google/Microsoft' (often via OIDC), mobile apps calling your backend APIs, third-party integrations accessing user data with consent, and microservices using short-lived tokens instead of long-lived API keys.
- How much does OAuth cost?
- OAuth itself is a free standard—there’s no licensing cost to use the protocol. Costs come from how you implement it: running your own identity provider (infrastructure and operations), or using a managed service (often priced by monthly active users, number of authentications, advanced security features, or API calls). If you use a social login provider (e.g., Google), the OAuth flow is typically free, but your app may still incur costs for your identity platform, API gateway, and token validation at scale.
Category: security
Difficulty: intermediate
Related Terms
See Also