OAuth

OAuth is an open standard authorization framework that enables a user or application to grant limited access to protected resources without sharing long-term credentials.

• Authorization delegation framework for HTTP-based APIs (identity and access)
• Token-based access to protected resources via access tokens (identity and access)
• Roles and protocol flows for clients, resource owners, authorization servers, and resource servers (security architecture)
• Support for web applications, native apps, browser-based apps, and Machine-to-Machine Communication (M2M) (application integration)
• Basis for related standards such as OpenID Connect (OIDC) for identity layers on top of Open Authorization 2.0 (OAuth 2.0) (identity federation)

More About OAuth

OAuth is an authorization framework specified by the Internet Engineering Task Force (IETF) for delegating access to protected resources over Hypertext Transfer Protocol (HTTP) without exposing a resource owner’s credentials to third-party clients. It addresses the problem of granting scoped, time-bound, and revocable access in distributed systems where applications and services need to call APIs on a user’s behalf or on their own behalf.

The OAuth 2.0 framework (identity and access) defines roles for the resource owner, client, authorization server, and resource server, along with standardized protocol flows for obtaining and using access tokens. Common flows include the authorization code flow for server-side or browser-based clients, the client credentials flow for service-to-service access, and device and other specialized flows as profiled in IETF specifications. Access tokens act as bearer or structured credentials that a client presents to a resource server to gain access under the policies set by the authorization server.

OAuth specifies authorization grants, access tokens, and optional refresh tokens (session management) as core mechanisms. The authorization server issues tokens after authenticating the resource owner and obtaining authorization. The resource server validates tokens and enforces access control based on token contents and associated scopes (policy enforcement). The framework is designed to operate over HTTPS and to integrate with existing authentication mechanisms and identity providers without prescribing a specific authentication method.

In enterprise environments, OAuth is used to protect Representational State Transfer (REST) and other HTTP APIs, enable Single Sign-On (SSO) patterns in conjunction with identity layers, and manage delegated access between microservices, external partners, and mobile or web clients (enterprise application security). It supports Separation of Duties (SoD) between the authorization server and resource servers, enabling centralized authorization policy while allowing independent scaling and lifecycle management of APIs.

OAuth is part of a broader IETF standards family. The core specification and related documents define token types, token introspection, token revocation, and security considerations (security standards). OIDC, built on top of OAuth 2.0, adds an identity layer for authentication and user information retrieval, and is widely used in conjunction with OAuth in identity and access management architectures. The overall ecosystem includes profiles, best current practices, and extensions published in RFCs under the IETF process.

From a directory and taxonomy perspective, OAuth is categorized as a standards-based authorization framework and token-based access control protocol (identity and access). It is relevant to Application Programming Interface (API) security, identity federation stacks, and cloud service integration, serving as a protocol foundation for delegated authorization across heterogeneous platforms and services.