interview

home / developersection / interviews / what is oauth 2.0 and how does it work?

Ask Question
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

1 Answers

ICSM Computer

ICSM Computer

05-Jun-2025

OAuth 2.0 is an industry-standard authorization framework that allows third-party applications to access user data without exposing user credentials (like passwords).

What Is OAuth 2.0?

It’s not authentication (though often misused that way) — it’s for granting access to resources.

OAuth allows a user to authorize one application to access their data (e.g., profile, files) on another service securely and in a controlled manner.

Real-World Analogy

It's like giving someone a hotel keycard (token) that opens only one door, only during your stay, instead of giving them your master key (password).

OAuth 2.0 Key Roles

Role Description
Resource Owner The user who owns the data (e.g., you).
Client The app requesting access (e.g., Instagram).
Authorization Server Issues tokens (e.g., Google Auth server).
Resource Server Hosts the data (e.g., Google Drive API).

How OAuth 2.0 Works (Authorization Code Flow – Most Common)

Step-by-Step

  • Client Redirects User to Authorization Server
https://authserver.com/auth?client_id=abc&redirect_uri=...&response_type=code&scope=read
  • User Logs In & Approves Access
    • The user logs in to the authorization server and grants permission.
  • Authorization Server Sends Back a Code
    • Redirects back to client app:
https://yourapp.com/callback?code=xyz123
  • Client Exchanges Code for Access Token
    • Backend server sends a POST request with:
      • client ID
      • client secret
      • auth code
      • redirect URI
    • Response:
{
  "access_token": "abc123token",
  "refresh_token": "xyz789",
  "expires_in": 3600
}
  • Client Uses Access Token to Call API
    • Adds header:
Authorization: Bearer abc123token
  • Access Token Expires
    • Use refresh_token to get a new one without prompting user again.

 

Grant Types (Flows)

Grant Type Use Case
Authorization Code Most secure. Used by web apps, SPAs (with PKCE).
Client Credentials Machine-to-machine communication (no user).
Implicit Legacy for SPAs (now discouraged due to security).
Password Grant Direct username/password (discouraged).
Device Code For devices without a browser (e.g., smart TVs).

Benefits of OAuth 2.0

  • Secure Delegation: Apps don’t get user passwords.
  • Token Expiry: Reduces risk of long-term compromise.
  • Fine-Grained Scopes: Control what an app can access.
  • Standardized: Widely adopted (Google, Facebook, GitHub, etc.).

Common Misconception

OAuth 2.0 is not authentication — it's about delegated access.
To authenticate a user, use OpenID Connect (OIDC), which builds on OAuth 2.0.

 

MindStick Training
MindStick Training

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy