OAuth Framework
CategoryCyber Security Standards
OAuth 2.0 is an authorization framework that enables client applications to obtain limited access to protected web resources, including application services, either on behalf of the resource owner, or directly by supplying client credentials to an Authorization Server.
Access Management
Delegated Authorization to Access Web Resources
In the traditional client-server authentication model, the client requests an access-restricted (protected) resource on the server by authenticating with the server using the resource owner's credentials. In order to provide third-party applications access to protected resources, the resource owner shares its credentials with the third party. This creates several security vulnerabilities and privacy problems.
OAuth 2.0 framework addresses these issues by introducing an authorization layer, and separating the role of the client from that of the resource owner. It defines authorization grants representing the resource owner's decision: authorization code, implicit, resource owner password credentials and client credentials.
Instead of using the resource owner's credentials to access protected resources, the client obtains an access token — a string denoting a specific scope, lifetime and other access attributes. Access tokens are issued to third-party clients by an Authorization Server, to allow them accessing protected resources hosted by the Resource Server.