Open Authorization 2.0

Open Authorization 2.0 (OAuth 2.0) is an open standard authorization framework that enables a resource owner to grant limited, revocable access to protected resources to third-party applications without sharing authentication credentials.

Expanded Explanation

1. Technical Function and Core Characteristics

OAuth 2.0 defines a framework in which a client obtains an access token from an authorization server and presents that token to a resource server to access protected resources. The framework separates the roles of resource owner, client, authorization server, and resource server, and it specifies how these entities interact through defined authorization flows, such as authorization code, client credentials, and device flows.

OAuth 2.0 uses bearer tokens that represent delegated authorization and that the resource server validates before granting access. The framework does not define how a user authenticates but relies on the authorization server to perform authentication and to issue tokens according to policy, scope, lifetime, and other constraints.

2. Enterprise Usage and Architectural Context

Enterprises use OAuth 2.0 to externalize authorization for web, mobile, Application Programming Interface (API), and microservices workloads, enabling centralized control of access to protected resources. It operates as a core component of API security architectures, often integrated with Single Sign-On (SSO), identity providers, and access management platforms.

Architects deploy OAuth 2.0 authorization servers as dedicated services that manage client registration, consent, token issuance, token introspection, and revocation. Enterprises use it to support cross-domain access, partner integrations, and zero trust architectures by enforcing token-based access controls instead of direct credential sharing.

3. Related or Adjacent Technologies

OAuth 2.0 frequently operates with OpenID Connect (OIDC), which adds an authentication layer and standardized identity tokens on top of the OAuth 2.0 authorization flows. It also aligns with JSON Web Token and related specifications that define token formats, signatures, and encryption for conveying claims between parties.

Security frameworks and standards such as NIST digital identity guidelines reference OAuth 2.0 patterns for federated access and API protection. Enterprises use OAuth 2.0 alongside Transport Layer Security (TLS), access control policies, and Security Information and Event Management (SIEM) systems to implement layered access control.

4. Business and Operational Significance

OAuth 2.0 enables enterprises to delegate access to APIs and data in a controlled way, which supports partner ecosystems, Software-as-a-Service (SaaS) integration, and multi-tenant platforms. It reduces dependence on long-lived passwords or static credentials within applications by substituting scoped, time-bound tokens.

Operational teams use OAuth 2.0 to standardize how applications request and obtain access, which supports compliance requirements for least privilege and access revocation. It provides a basis for monitoring who accessed which resources, under what authorization context, and for how long, improving governance over digital services.