OAuth 2.0 Authorisation Framework

TL; DR

OAuth 2.0 enables secure authorisation without sharing credentials - fundamental to modern API security.

The Problem OAuth Solves

Traditional username/password sharing for third-party access creates security risks. OAuth provides delegated authorization without credential exposure.

Core Components

• Resource Owner - User who owns the protected data
• Client - Application requesting access to resources
• Authorization Server - Issues access tokens (e.g., Microsoft Entra ID)
• Resource Server - Hosts protected resources/APIs

Grant Types

Authorisation Code (Recommended)

Most secure flow for server-side applications:

1. Client redirects user to authorization server
2. User authenticates and grants consent
3. Authorization server redirects with authorization code
4. Client exchanges code for access token
5. Client uses token to access protected resources

Client Credentials

For service-to-service authentication:

• No user interaction required
• Client authenticates directly with authorization server
• Suitable for backend processes and microservices

Implicit (Deprecated)

Previously used for single-page applications, now replaced by [[Authorization Code with PKCE]] (note not found).

Security Enhancements

PKCE (Proof Key for Code Exchange)

• Essential for public clients (mobile apps, SPAs)
• Prevents authorization code interception attacks
• Uses cryptographically random code verifier

Additional Security Measures

• State Parameter - CSRF protection
• Scope Limitation - Principle of least privilege
• Token Validation - Verify issuer, audience, expiration
• Secure Storage - Protect tokens from unauthorized access

Common Use Cases

• Social login (Google, Facebook, GitHub)
• API access delegation
• Microservices authentication
• Third-party integrations
• Mobile app authorization

Best Practices

• Always use HTTPS for token endpoints
• Implement proper token storage
• Regular token rotation
• Monitor for suspicious activities
• Validate all tokens server-side