LLMpediaThe first transparent, open encyclopedia generated by LLMs

OAuth (protocol)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Phabricator Hop 4
Expansion Funnel Raw 66 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted66
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
OAuth (protocol)
NameOAuth
CaptionAuthorization framework
DeveloperIETF
Initial release2010
Latest releaseRFC 6749 / RFC 6750

OAuth (protocol) is an authorization framework that enables third-party applications to obtain limited access to protected resources on behalf of resource owners. It is specified by the Internet Engineering Task Force and has been adopted across major technology companies and standards bodies for delegated access to APIs, services, and devices.

Overview

OAuth provides a mechanism for resource owners to grant access to clients without sharing credentials, using tokens issued by authorization servers. Major technology organizations such as Internet Engineering Task Force, W3C, Microsoft, Google, Facebook, and Twitter have shaped its usage across web platforms, mobile platforms like Android (operating system), and ecosystems including Apple Inc. and Amazon (company). OAuth interactions typically involve resource servers such as GitHub, Dropbox, Salesforce, and Slack, and client applications developed by companies like Spotify and Uber Technologies, Inc..

History and development

OAuth emerged from efforts by developers at companies including Twitter, Google, and Flickr to avoid password sharing between services. Early drafts and community work were coordinated with input from the IETF OAuth Working Group leading to the publication of RFCs such as RFC 5849 predecessors and finalizations in RFC 6749 and RFC 6750. Influential figures and organizations in its evolution include engineers associated with Yahoo!, LinkedIn Corporation, Amazon Web Services, and contributors from the OpenID Foundation and IETF. Subsequent extensions and profiles were influenced by security research from institutions like OWASP and academic groups at Massachusetts Institute of Technology and Stanford University.

Architecture and components

The OAuth architecture defines roles including resource owner, client, authorization server, and resource server. Authorization servers and token endpoints are often hosted by providers such as Google, Microsoft Azure, Okta, Auth0, and Amazon Cognito. Tokens include access tokens and refresh tokens handled via standards like JSON Web Token and token introspection aligned with RFC 7662. Interactions commonly use HTTP endpoints and TLS as specified in Hypertext Transfer Protocol, with client registration practices seen in Kubernetes and cloud platforms such as Google Cloud Platform and Microsoft Azure. Scopes and consent screens are managed in ecosystems built by companies like Apple, Facebook, and GitHub.

Grant types and flows

OAuth defines several grant types and flows to accommodate different clients and contexts: authorization code, implicit, resource owner password credentials, and client credentials. The authorization code flow is used by web applications operated by organizations including WordPress and Salesforce, while native application flows are utilized on platforms like iOS and Android (operating system). The implicit flow was popularized in single-page applications powered by frameworks such as React (JavaScript library) and Angular (application platform), though many vendors including Google and Microsoft now recommend alternatives. Machine-to-machine interactions use the client credentials flow in services from IBM Cloud and Amazon Web Services.

Security considerations and vulnerabilities

Security analyses by organizations such as OWASP, researchers from Carnegie Mellon University, and teams at Google and Microsoft have identified vulnerabilities including token leakage, cross-site request forgery, and misconfigured redirect URIs. Mitigations include Proof Key for Code Exchange developed with input from Dropbox and Box, Inc., token binding proposals discussed at IETF, and use of Transport Layer Security across API providers such as Stripe and PayPal. High-profile incidents involving compromised tokens have affected services at GitHub and Slack, prompting guidance from the OpenID Foundation and updates to specifications by the IETF.

Implementations and adoption

OAuth implementations are available in identity platforms like Okta, Auth0, Keycloak, and enterprise solutions from Microsoft Azure Active Directory and Ping Identity. Open-source libraries for OAuth exist for ecosystems such as Node.js, Python (programming language), Java (programming language), Ruby (programming language), and PHP, supported by communities around projects like Apache Software Foundation, Linux Foundation, and Eclipse Foundation. Major service providers including Google, Facebook, GitHub, LinkedIn, and Microsoft expose OAuth-based developer APIs, and standards integration is common in cloud platforms like Amazon Web Services and Google Cloud Platform.

Criticisms and alternatives

Critics from security communities such as OWASP and academics at University of California, Berkeley and Stanford University have pointed to complexity, misconfiguration risk, and backward compatibility issues. Alternatives and complementary standards include OpenID Connect developed by the OpenID Foundation, and other approaches used in enterprise identity such as SAML and proprietary token systems from AWS Identity and Access Management and Microsoft Active Directory. Protocols and proposals debated in venues like the IETF and W3C continue to influence evolution and replacement strategies among vendors including Google, Apple Inc., and Microsoft.

Category:Computer security protocols