OAuth Explained: How It Works & Why It Matters

OAuth is mentioned in many SaaS circles when it comes to identity management and access control. But what’s it all about? Check out this detailed guide to learn more about the ins and outs of this authorization protocol.

OAuth definition: What is OAuth?

OAuth is an open-standard authorization protocol. It allows servers and services, which are not directly integrated, to provide authenticated access to their assets. OAuth uses tokens to share authorization data, without requiring applications to share actual logon credentials. This is known as secure, third-party, delegated authorization.

OAuth allows users to authorize one application to interact with another on their behalf, without giving away their password. Users can also specify exactly which permissions the application should have, which creates transparency and enhances security.

The OAuth framework gives application owners the ability to grant cross-domain access control. It manages authentication and authorization separately, which enables easier interoperability. It supports multiple use-cases, including server-to-server and application-to-server, and can be used in combination with other protocols for more complex user cases.

This is part of an extensive series of guides about access management.

In this article:

How OAuth works

OAuth consists of various key elements that together ensure the secure transfer of authorization data.

OAuth scopes

OAuth scopes provide a way for a client to limit the amount of access they have to a user’s data. When requesting a token for access, a client can specify the scope of access required. Consequently, the user can clearly understand what they are permitting the client to do during the process of authorization.

OAuth scopes influence the client’s access level to the user’s protected information. A ‘read’ access scope, for instance, permits the client to visualize data but not modify it. Alternatively, a ‘write’ access scope allows the client to both view and modify the data.

However, note that OAuth scopes aren’t used for security, but for transparency with users. They cannot prevent a malicious client from accessing an access token, but help the user comprehend what they’re authorizing an application to do with their data.

Participants in OAuth

Several entities participate in the OAuth workflow. These include the Resource Owner, Client, Authorization Server, and Resource Server:

The Resource Owner usually refers to the end-user using the application who has ownership of the resources being protected.
The Client is the application seeking access to the user’s account and requires user permission to access their data.
The Authorization Server authenticates the Resource Owner and issues access tokens after receiving proper authorization. You can think of the Authorization Server as a gatekeeper for user data.
The Resource Server manages the protected user’s accounts, dealing with protected resource requests using the access tokens.

Tokens in OAuth

The OAuth protocol uses tokens, which allow a client to access the Resource Owner’s data. OAuth has two token types:

An access token is utilized by the Client to access the Resource Owner’s data. The Authorization Server issues the access token to the Client after proper authentication and authorization. The Client uses the access token to request the Resource Server.
A refresh token replaces the previous access token when it expires without requiring the Resource Owner to re-authenticate. The refresh token is usually issued along with the access token and employed when the access token becomes invalid.

OAuth flows

OAuth flows or grant types illustrate how a client can receive an access token. The OAuth protocol defines four different grant types:

The Authorization Code flow only works with clients that can secure their client secret. First, the client directs the resource owner to an authorization server. Subsequently, the resource owner authenticates with the authorization server, which then redirects the resource owner back to the client with an authorization code.
The Implicit flow is designed for clients who can’t secure their client secret. This process is similar to the Authorization Code flow; however, the access token is returned to the client directly without using an intermediate authorization code.
The Password flow requires the client to collect the resource owner’s authentication details and send them to the authorization server. Only clients that the resource owner highly trusts should employ this process.
The Client Credentials flow is best when the client is also the resource owner. This involves the client undergoing authentication with the authorization server using its credentials.

What Is OAuth used for?

OAuth is widely used across various applications and services to enable secure authorization and access control. Here are some common use cases:

Third-party login integration: OAuth is often used to allow users to log into a service using their credentials from another provider, such as Google, Facebook, or Twitter. This simplifies the login process for users and reduces the need for creating and remembering multiple passwords.
API authorization: OAuth is commonly used for granting access to APIs. For instance, a user can permit an application to access their Google Drive files or post on their Twitter account on their behalf without sharing their login credentials.
Microservices communication: In environments where multiple microservices need to communicate securely, OAuth tokens can be used to authenticate and authorize these interactions, ensuring that each service has the necessary permissions.
Mobile and desktop applications: OAuth is also utilized in mobile and desktop applications to authorize access to user data stored on remote servers. For example, a fitness app might use OAuth to access a user’s health data from a healthcare provider’s API.
Delegated access: OAuth allows for delegated access, where users can grant limited permissions to applications to perform actions on their behalf. For example, a project management tool might be authorized to access a user’s calendar to schedule meetings.

OAuth evolution: 1.0 vs. 2.0

OAuth has evolved over the years, and it is important to understand its different versions.

OAuth 1.0 was the first version of OAuth, and was a major step towards more convenient, secure authorization. However, it was a bit complex for developers to use and customize, due to its requirement for cryptographic signatures.

OAuth 2.0 focused on simplifying work for developers while maintaining high security standards. OAuth 2.0 dropped cryptographic signatures in favor of SSL/TLS, thereby simplifying the protocol. It also introduced scopes and tokens, providing more refined access control.

However, while OAuth 2.0 is believed to be an improvement over OAuth 1.0, it does invite some criticism. Some security experts suggest that OAuth 2.0’s reliance on SSL/TLS for security makes it more susceptible to specific attack types.

OAuth vs. other protocols

Let’s examine how OAuth compares to other well-known authentication and authorization protocols.

SAML vs. OAuth

SAML (Security Assertion Markup Language) and OAuth both ensure the secure exchange of information. However, they work differently. SAML mainly operates in the context of enterprise single sign-on (SSO), whereas OAuth is optimized for allowing third-party applications to access user data without sharing a password.

Whereas SAML uses XML for data formatting, OAuth employs JSON. Therefore, OAuth is lightweight and ideal for mobile applications. However, SAML’s capabilities are more extensive, offering complex assertions about a user’s authentication and authorization status.

Learn more in our detailed guide about OAuth vs SAML

OAuth vs. SSO

SSO allows users to authenticate once and gain access to multiple applications without needing to log in separately to each one. This provides a seamless user experience and reduces the burden of managing multiple credentials. SSO typically relies on protocols such as SAML, OAuth, or OpenID Connect (OIDC) to manage the authentication process across different applications.

OAuth is primarily focused on authorization, allowing third-party applications to access user data without exposing passwords. While OAuth can be a component of an SSO solution, it does not provide the complete SSO experience on its own. Instead, OAuth can enable specific applications to act on behalf of the user, leveraging tokens to access resources securely.

OAuth vs. OpenID

OpenID is a protocol for SSO that, unlike SAML, focuses on federated identity, thereby allowing users to rely on the same credentials across different sites. In contrast, OAuth is about authorization, not authentication. It’s about enabling one application to get access to another application on behalf of a user.

However, OAuth and OpenID work together. OpenID Connect is an identity layer constructed atop the OAuth 2.0 protocol, which lets clients verify the identity of an end-user based on authentication facilitated by an authorization server.

OAuth vs. JWT

JWT (JSON Web Token) is a compact, URL-safe way of representing claims to be communicated between two parties. The JSON structure includes assertions that are digitally signed with a Message Authentication Code (MAC) and/or encrypted.

OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site, to another site, without having to expose their credentials. When compared to JWT, OAuth is a protocol that uses JWT as a means to maintain and transfer information between parties.

5 best practices for OAuth implementation

Here are a few ways you can ensure your OAuth implementation is a success.

1. Securing client credentials

The security of your OAuth implementation heavily relies on how well you protect your client credentials. These are the keys to your kingdom, and if they get into the wrong hands, your kingdom is at risk. Here are a few ways to protect your credentials:

Always use HTTPS for all interactions: HTTPS is important for all communications, not just those where you’re sending passwords. This ensures that your credentials are always sent over an encrypted connection and can’t be intercepted.
Don’t store your client credentials in the client: This might sound counter-intuitive, but the client is not a safe place to keep sensitive data. Instead, store them on your server and use them to authenticate with the authorization server.
Rotate client credentials regularly: Don’t use the same credentials for a long period of time without changing them, to prevent them falling into the wrong hands.

2. Choosing the right OAuth flow

OAuth provides several different flows for different types of applications. Choosing the right flow is crucial to the security and usability of your application.

For web applications, the Authorization Code flow is usually the best choice. This flow redirects the user to the authorization server to authenticate, and then redirects them back to your application with an authorization code. Your application can then exchange this code for an access token.
For mobile and desktop applications, the Implicit flow is often a better choice. This flow is similar to the Authorization Code flow, but it returns the access token directly after the user authenticates, rather than an authorization code.

3. Protecting redirect URIs

Redirect URIs are a critical part of the OAuth process. They’re the locations where the authorization server sends the user after they’ve authenticated. Therefore, it’s important to protect them:

Always use absolute URIs, not relative ones: This makes it harder for an attacker to manipulate the URI to point to a different location.
Only use HTTPS for your redirect URIs: This ensures that the access token, which is included in the redirect, can’t be intercepted.
Register your redirect URIs with the authorization server: This ensures that the server will only redirect users to these URIs, and not to any others that an attacker might try to use.

4. Validating access and refresh tokens

Access and refresh tokens are the keys to your user’s data. Therefore, it’s important to validate them:

Always validate the signature of the access token: This ensures that it hasn’t been tampered with.
Check the expiration time of the access token: If it’s expired, you’ll need to use the refresh token to get a new one.
Check the scope of the access token: This tells you what resources the token gives you access to, and you should ensure that it matches what you expect.

5. Implementing secure user consent

User consent is a critical part of the OAuth process. It’s what gives your application permission to access the user’s data. Therefore, it’s important to implement it in a secure and user-friendly way:

Always clearly explain to the user what they’re consenting to: This includes what data you’re accessing, what you’re using it for, and how long you’ll have access.
Don’t ask for more permissions than you need: This is not only good practice, but it also makes it more likely that the user will grant your request.
Give the user the ability to revoke their consent at any time: This gives them control over their data and builds trust in your application.

Related content: Read our guide to OAuth grant types

Using OAuth with Frontegg

Frontegg’s end-to-end and self-served authentication infrastructure is based on JSON Web Tokens. Our JWTs have been designed to adhere to the highest security standards. Therefore, our user management solution is also fully compliant with the OAuth protocol, along with OIDC 1.0 as well. We cover all important bases that are required in the modern SaaS space.

See additional guides on key access management topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of access management.

The Complete Guide to SaaS Multi-Tenant Architecture

Read the guide

Cookie	Duration	Description
_vis_opt_s	3 months 8 days	Visual Website Optimizer sets this cookie to detect if there are new to or returning to a particular test.
_vis_opt_test_cookie	session	Visual Website Optimizer creates this cookie to determine whether or not cookies are enabled on the user's browser.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
messagesUtk	6 months	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.

Cookie	Duration	Description
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_hjSession_*	1 hour	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hp2_ses_props.*	1 hour	Heap sets this cookie to store the timestamp and cookie domain or path.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_vwo_uuid_v2	1 year	This cookie is set by Visual Website Optimiser and calculates unique traffic on a website.
cb_anonymous_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.
cb_group_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
cb_user_id	1 year	Clearbit sets this cookie to collect data on visitors. This information is used to assign visitors into segments, making website advertising more relevant.

Cookie	Duration	Description
__Host-session	14 days	No description available.
__tld__	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_crowdcontrol_session_key	session	Description is currently not available.
_g2_session_id	session	Description is currently not available.
_hp2_hld346349427843107.1065080579	5 minutes	Description is currently not available.
_hp2_hld6722177740337317.1065080579	5 minutes	Description is currently not available.
_hp2_hld8090462093010520.1065080579	5 minutes	Description is currently not available.
cbtest	1 year	Description is currently not available.
debug	never	No description available.
events_distinct_id	session	Description is currently not available.
h1_device_id	1 year	Description is currently not available.
pfjscookies	1 year	Description is currently not available.

OAuth Explained: How It Works & Why It Matters

OAuth definition: What is OAuth?