LLMpediaThe first transparent, open encyclopedia generated by LLMs

OAuth

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Internet Engineering Task Force Hop 3
Expansion Funnel Raw 39 → Dedup 15 → NER 10 → Enqueued 10
1. Extracted39
2. After dedup15 (None)
3. After NER10 (None)
Rejected: 5 (not NE: 5)
4. Enqueued10 (None)
OAuth
NameOAuth
DeveloperInternet Engineering Task Force
ReleasedOctober 2010
Latest release version2.0
Latest release dateOctober 2012
GenreAuthorization protocol

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites without giving them their passwords. Developed by the Internet Engineering Task Force, it provides client applications a secure delegated access to server resources on behalf of a resource owner. The framework enables third-party applications to obtain limited access to an HTTP service, either on behalf of a resource owner or by allowing the application to obtain access on its own behalf.

Overview

The protocol allows an end user's account information to be used by third-party services, such as Facebook or Google, without exposing the user's credentials. It acts as an intermediary on behalf of the end user, providing the service with an access token that authorizes specific account information to be shared. This process is fundamental to enabling single sign-on experiences across the web and in mobile applications. Major technology companies, including Twitter, Microsoft, and Amazon Web Services, have adopted it to secure their APIs. The specification details flows for web applications, desktop applications, mobile phones, and smart devices.

Technical Details

At its core, the framework defines several roles, including the resource owner, client, resource server, and authorization server. The authorization process typically involves the client obtaining an authorization grant, which is then exchanged for an access token at the authorization server. This access token is used to authenticate requests to the resource server. Key grant types defined include the authorization code grant, implicit grant, resource owner password credentials grant, and client credentials grant. The protocol extensively uses JSON Web Tokens and relies on Transport Layer Security to secure communications. Implementations must handle token expiration and refresh mechanisms to maintain secure access.

Security Considerations

While designed to enhance security by eliminating the need to share passwords, various implementations have faced significant vulnerabilities. Common security issues include improper redirect URI validation, which can lead to authorization code interception, and the inherent risks of the implicit grant flow in certain environments. Phishing attacks remain a concern, as malicious actors can create fake authorization pages. The Open Web Application Security Project lists several related threats in its OWASP Top Ten. Best practices mandate the use of the PKCE extension for public clients, strict validation of all parameters, and secure storage of client secrets and tokens. Regular security audits, like those conducted by NIST, are recommended.

Implementations and Use Cases

The standard is widely implemented across the industry. Popular libraries and services that support it include OpenID Connect, which builds an identity layer on top, and Apache Oltu. It is the backbone for logging into countless websites using credentials from major platforms like GitHub, LinkedIn, and Salesforce. Use cases extend from allowing a printing service to access a user's Google Photos to enabling a financial aggregator to read data from a user's Bank of America account via Open Banking APIs. In enterprise settings, it is used within SAML and LDAP environments to manage application access. The OAuth 2.0 Authorization Framework is formally documented in RFC 6749.

History and Versions

The initial version, OAuth 1.0, was published in 2007 as an open protocol by a small group of developers, including Blaine Cook and Chris Messina, while working on the Twitter API. OAuth 1.0a followed shortly to address a session fixation vulnerability. The current and fundamentally different version, OAuth 2.0, was developed by the IETF OAuth Working Group, chaired by Eran Hammer, and finalized in October 2012. Despite its widespread adoption, OAuth 2.0 has been criticized by some, including Hammer himself, for its complexity and security trade-offs. The community continues to evolve the ecosystem with extensions and profiles, such as those for Financial-grade API security.

Category:Internet standards Category:Authentication methods Category:Application programming interfaces

Some section boundaries were detected using heuristics. Certain LLMs occasionally produce headings without standard wikitext closing markers, which are resolved automatically.