OAuth Explained: The Complete Guide
OAuth (Open Authorization) is an open standard that allows one application to access resources or data in another application on behalf of a user, without needing the user’s password.
OAuth is a secure way for apps to access user data from another service — using tokens instead of passwords.
Real-world example
When you sign up for a third-party app using “Login with Google” or “Login with GitHub”, the app never receives your Google/GitHub password.
Instead:
You click Login with GitHub
GitHub asks you to log in
GitHub asks:
“Do you allow this application to access your profile/email?”
If you approve → GitHub sends the app a token
The app uses that token to read your profile or email
This entire secure process = OAuth.
Why do we need OAuth?
Before OAuth existed, apps shared passwords. (Yes, literally)
OAuth was created because:
Users had to share passwords with 3rd-party apps
Apps got full access to your account
No ability to restrict permissions (read-only, write-only, etc.)
If you changed your password → everything broke
No secure way to revoke access for just one app
OAuth solved all of these.
OAuth enabled:
Limited access scope (email only, profile only, etc.)
Tokens instead of credentials
Ability to revoke access without changing passwords
Secure flow for mobile, web, single-page apps, and backend apps
What was used before OAuth?
1. Password Anti-Pattern (Credential Sharing)
Example:
You want an app to post a tweet for you → you give the app your X (Twitter) username/password.
Problems:
App can do anything on your account
No permission scoping
Password leaks = catastrophic
No standardized auth method
2. Proprietary APIs
Each provider made its own custom “login system”.
No standardization → confusion for developers.
OAuth became the universal and safer standard.
Present Alternatives to OAuth
Though OAuth is most common, alternatives exist.
1. SAML (Security Assertion Markup Language)
XML-based, mostly used in enterprises
Good for Single Sign-On (SSO)
Replaced older corporate directory logins
2. OpenID Connect (OIDC) — Built on OAuth 2.0
OIDC = OAuth 2.0 + user identity
Adds ID tokens, user info endpoint (profile/email), etc.
OIDC is what Google Login, Microsoft Login use today.
3. Kerberos
Internal networks, Windows domains.
4. JWT-based in-house authentication
APIs using JWT tokens without OAuth flows.
OAuth vs SAML
| Feature | OAuth | SAML |
| Purpose | Authorization | Authentication + SSO |
| Format | JSON | XML |
| Popular use | Mobile, Web APIs | Enterprise identity systems |
| Token format | Access tokens (often JWT) | SAML assertions |
| Typical Example | “Login with Google” | Corporate SSO into Salesforce |
Simple summary:
OAuth = I give this app permission to access data.
SAML = I want to log in across systems using one identity.
What is OAuth 2.0?
OAuth 2.0 is the modern, flexible, simpler, secure version of OAuth.
OAuth 1.0 → used signatures and was more complex
OAuth 2.0 → uses bearer tokens (like a movie ticket; possession = access)
OAuth 2.0 introduced:
Separation of roles (resource server, authorization server)
Multiple flows
Access token + refresh token
Scopes
Better support for SPAs / mobile apps
Most OAuth systems in the world today use OAuth 2.0.
What is Auth0?
Auth0 (by Okta) is a cloud identity platform that implements:
OAuth 2.0
OpenID Connect
SAML
User management
MFA
Passwordless
Social login (Google, FB, Apple)
Auth0 is not OAuth — it is a company/service that uses OAuth under the hood.
Advantages of OAuth
Security
No password sharing
Tokens can be short-lived
Scopes limit what apps can access
Better developer experience
Standardized
Easy integration with Google, Facebook, GitHub
Granular permissions
Example:
“Read your contacts but not send emails.”
Good for distributed microservices
Tokens flow easily across services.
Limitations & Disadvantages of OAuth
Complexity
For beginners → OAuth can feel overwhelming.
Misconfigurations lead to vulnerabilities
Especially:
Redirect URI issues
Token leakage in URLs
Not an authentication protocol
OAuth = Authorization
OIDC = Authentication
(Many incorrectly use OAuth for login.)
Requires secure storage of tokens
If access tokens leak → anyone can use them.
Basic Authorization Code Flow (most common; used by web apps)
User ---> App: "Login with Google"
App ---> Google Auth Server: Redirect user to login
User ---> Google: Enters credentials
Google ---> User: "Do you allow access?"
User ---> Google: Yes
Google ---> App: Authorization Code (via redirect)
App ---> Google: Exchanges code for Access Token
Google ---> App: Access Token + Refresh Token
App ---> Google API: Access protected resources
Example: OAuth Authorization Code Flow (using Node.js + Express + Google OAuth 2.0)
import express from 'express';
import { google } from 'googleapis';
const CLIENT_ID = 'YOUR_CLIENT_ID';
const CLIENT_SECRET = 'YOUR_CLIENT_SECRET';
const REDIRECT_URI = 'http://localhost:3000/callback';
const PORT = 3000;
const app = express();
// 1. Initialize the OAuth2 client
const oauth2Client = new google.auth.OAuth2(
CLIENT_ID,
CLIENT_SECRET,
REDIRECT_URI
);
/**
* STEP 1: Initiate the flow - Redirect user to Google
*/
app.get('/login', (req, res) => {
const url = oauth2Client.generateAuthUrl({
access_type: 'offline', // Request a Refresh Token
scope: ['profile', 'email'], // Request required scopes
// Note: A 'state' parameter should be added here for production security!
});
res.redirect(url);
});
/**
* STEP 2: Handle the callback - Exchange the Authorization Code for tokens
*/
app.get('/callback', async (req, res) => {
const code = req.query.code;
if (!code) {
return res.status(400).send('Authorization code missing.');
}
try {
// Exchange the code for the Access Token
const { tokens } = await oauth2Client.getToken(code);
// Save the credentials (Access Token & Refresh Token) for future API calls
oauth2Client.setCredentials(tokens);
let responseMessage = `
<h1>OAuth Flow Complete</h1>
<p>Access Token successfully retrieved and set!</p>
<p>Token: <code>${tokens.access_token.substring(0, 10)}...</code> (Truncated for display)</p>
`;
res.send(responseMessage);
} catch (err) {
console.error('Token exchange failed:', err.message);
res.status(500).send(`Token exchange failed: ${err.message}`);
}
});
app.listen(PORT, () => console.log(`Server running on port ${PORT}`));
Frequently Asked Questions
Q: Does OAuth store my password?
No. OAuth never stores your password.
Q: Is OAuth used for login?
OAuth itself = no
OIDC (built on OAuth) = yes
Q: Is OAuth safe?
Yes — if implemented correctly.
Q: Is OAuth 1.0 still used?
Almost no. OAuth 2.0 replaced it.
Conclusion
OAuth is the backbone of modern authentication/authorization across the internet. Whether you're working with mobile apps, backend APIs, enterprise applications, or microservices — OAuth is essential knowledge.
