LLMpediaThe first transparent, open encyclopedia generated by LLMs

OAuth

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: World Wide Web Hop 2
Expansion Funnel Raw 39 → Dedup 16 → NER 14 → Enqueued 8
1. Extracted39
2. After dedup16 (None)
3. After NER14 (None)
Rejected: 2 (not NE: 2)
4. Enqueued8 (None)
Similarity rejected: 4
OAuth
NameOAuth
AuthorBlaine Cook, Chris Messina
DeveloperTwitter, Google (company), Microsoft, Facebook
Released2007
Programming languageMulti-language
LicenseOpen standard

OAuth

OAuth is an open standard for delegated authorization that enables third-party applications to obtain limited access to protected resources on behalf of a resource owner. It separates authentication from authorization and provides a framework for issuing tokens that represent consent from an account holder. Widely used by major technology companies and standardized by organizations, OAuth underpins many modern Google (company) APIs, Facebook integrations, and single sign-on patterns across the web.

Overview

OAuth defines a model where a client application requests an access token from an authorization service to act on behalf of a resource owner when accessing resources hosted by a resource server. The standard introduces distinct actors — resource owner, client, authorization server, and resource server — to delineate responsibilities in an authorization transaction. Implementations interoperate across platforms produced by Microsoft, Apple Inc., Amazon (company), and other providers, enabling workflows for web applications, native mobile apps, and device IoT clients. The specification emphasizes token issuance, scope limitation, and revocation mechanics to allow granular control over delegated access.

History and Development

The OAuth initiative began as a response to practices used by early social platforms to share credentials between services; initial drafts circulated in the late 2000s involving contributors from Twitter and independent developers. The protocol evolved through community discussion and interoperability testing with participation from companies such as Google (company), Yahoo!, LinkedIn, and standards bodies including the Internet Engineering Task Force. Formalization of OAuth 2.0 introduced substantial changes driven by real-world deployment at scale, with input from security researchers affiliated with institutions like MITRE Corporation and vendors including Cisco Systems. Subsequent revisions and best-current-practice documents were informed by incident analyses from platform incidents involving Facebook and large-scale API ecosystems.

Protocol Architecture and Roles

OAuth’s architecture assigns clear roles: the resource owner (an individual account holder), the client (an application seeking access), the authorization server (issuing tokens), and the resource server (hosting protected data). These roles are reflected in deployments by cloud providers such as Amazon (company) and enterprise identity systems from Okta, Inc. and Ping Identity. Token types include bearer tokens and structured tokens such as JWTs used by implementations from Microsoft and Google (company). The architecture supports delegation patterns integrated with identity providers like Auth0 and federation technologies exemplified by SAML deployments and interactions with Azure Active Directory.

Authorization Flows and Grant Types

OAuth specifies multiple flows to accommodate scenarios: the authorization code flow for server-based applications, the implicit flow historically used by single-page applications, the resource owner password credentials flow for legacy needs, and the client credentials flow for service-to-service authorization. These flows map to real products and use cases in services from Slack Technologies, GitHub, Spotify Technology, and Dropbox, Inc.. In practice, the authorization code flow is commonly paired with proof-of-possession extensions such as PKCE, advocated by security guidance from organizations like OpenID Foundation and adopted by platforms including Google (company) and Apple Inc..

Security Considerations and Threats

Security analyses of the protocol have been contributed by researchers at Stanford University, University of Oxford, and groups like OWASP. Threats include token interception, replay attacks, authorization code injection, and leakage through inappropriate storage in mobile apps or browser contexts. Mitigations include use of TLS as mandated by IETF recommendations, application of PKCE for public clients, rotation and short lifetimes for access tokens, and use of refresh tokens with secure storage as practiced by Microsoft and Google (company). Incident response practices and hardening guidelines from vendors such as Amazon (company) and consultancies like Deloitte inform deployment best practices.

Implementations and Adoption

Large-scale adoption is visible across major platforms and enterprise software: Google (company) APIs, Facebook Login, Microsoft identity platform, and API ecosystems from Salesforce and Box, Inc. Popular open-source libraries and servers include projects maintained by communities affiliated with Apache Software Foundation and foundations like Linux Foundation-hosted ecosystems. Mobile SDKs from Apple Inc. and Google (company) embed OAuth flows, and cloud identity providers such as Okta, Inc. and Auth0 provide managed authorization servers. Regulatory and industry use cases in finance and healthcare have seen integration with standards from HL7 and enterprise platforms such as Oracle Corporation.

OAuth has spawned related specifications and extensions including OpenID Connect for authentication, token introspection and revocation endpoints, and mechanisms for mutual TLS and JWT profile usage. Work on profiles and best practices involves contributor groups such as the OpenID Foundation, standards bodies like the IETF, and identity alliances including FIDO Alliance. Interoperability efforts link OAuth with federation protocols such as SAML and with consent frameworks used by platforms in the European Union regulatory environment and large vendors like IBM and Cisco Systems.

Category:Computer security protocols Category:Application layer protocols