LLMpediaThe first transparent, open encyclopedia generated by LLMs

OAuth (standard)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Autodesk Forge Hop 4
Expansion Funnel Raw 84 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted84
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
OAuth (standard)
NameOAuth
CaptionAuthorization protocol diagram
DeveloperInternet Engineering Task Force
Initial release2010
Latest release2019
GenreAuthorization framework

OAuth (standard) is an open authorization framework that enables third-party applications to obtain limited access to protected resources on behalf of resource owners. It decouples authentication from authorization, allowing services to grant scoped, revocable tokens without exposing credentials. Widely used across web, mobile, and API ecosystems, the specification is maintained and extended through collaborative standards bodies and major technology companies.

Overview

OAuth provides a standardized mechanism for delegated authorization between clients, resource servers, and authorization servers. The specification defines roles such as resource owner, client, authorization server, and resource server referenced in deployments by organizations like Google, Microsoft, Facebook, Twitter, and Amazon (company); implementations are also integrated with identity platforms like Okta, Auth0, and Ping Identity. OAuth tokens—commonly bearer tokens—are issued with scopes and lifetimes that are managed in ecosystems including GitHub, GitLab, Slack (software), Spotify, and Salesforce. Security model discussions frequently involve standards groups such as the Internet Engineering Task Force and projects like OpenID Foundation and Fast Identity Online Alliance.

History and Development

Work on the framework began as community-driven efforts involving developers from companies like Yandex, Flickr, and Yahoo! and was formalized through the IETF OAuth Working Group. The original 1.0 draft responded to integration needs faced by early social platforms such as Twitter and Facebook; subsequent security lessons led to a redesign culminating in the 2.0 specification shepherded by contributors from Microsoft, Google, Amazon Web Services, and PayPal. High-profile security incidents and analyses by practitioners associated with Mozilla Foundation, ACM conferences, and researchers at institutions like Stanford University prompted clarifications and errata. Extensions and best practices were produced through RFCs and cross-industry collaborations including OpenID Foundation and Kantara Initiative.

Protocol Architecture and Components

Core components include the authorization server and resource server which interact via access tokens, refresh tokens, and scope declarations; these elements are realized in product offerings from Microsoft Azure, Amazon Cognito, Google Cloud Platform, and IBM Cloud. Token formats range from opaque strings to self-contained tokens such as JSON Web Token used alongside RFCs maintained by the IETF JSON Working Group. Clients are classified as confidential or public, a distinction applied by platforms like Heroku and Netlify when registering applications. The use of TLS as described by Internet Engineering Task Force standards underpins transport security; ancillary specifications such as OAuth 2.0 Token Introspection and OAuth 2.0 Device Authorization Grant describe operational behaviors used by vendors including Apple, Samsung, and Cisco Systems.

Authorization Flows and Grant Types

OAuth defines multiple grant types to suit different scenarios: authorization code grant (used by Google APIs, Facebook Login, LinkedIn), implicit grant (historically used by single-page applications on platforms like GitHub Pages), resource owner password credentials grant (deprecated in many contexts by OpenID Foundation guidance), client credentials grant for server-to-server interactions in Stripe and Square (company), and refresh token flows implemented by Dropbox and Box, Inc.. The device authorization grant is adopted by consumer electronics vendors such as Roku, PlayStation, and Xbox (console) for constrained input devices. Implementors follow profiles and security best practices from standards groups including IETF, OpenID Foundation, and regulatory influences like European Union‑level privacy directives.

Security Considerations and Threats

Threat models center on token leakage, replay attacks, cross-site request forgery, and authorization code interception; these concerns have been analyzed in academic venues like USENIX and IEEE Security and Privacy and addressed by mitigations such as PKCE promoted by IETF and adopted by mobile ecosystems including iOS and Android. High-profile breaches involving compromised tokens highlighted the need for continual improvements, prompting guidance from organizations such as National Institute of Standards and Technology and incident analyses by firms like Mandiant and CrowdStrike. Implementations use recommendations from W3C for CORS handling and from IETF for TLS usage and token binding proposals; enterprise identity products from Oracle and SAP implement role-based and attribute-based access controls interoperable with OAuth-based authorization.

Implementations and Adoption

OAuth is implemented across major cloud providers and platforms including Google Cloud Platform, Microsoft Azure, Amazon Web Services, IBM Cloud, and integrated into developer tools such as GitHub, GitLab, Bitbucket, and continuous integration services like Jenkins. Mobile and desktop ecosystems leverage OAuth in conjunction with platform identity services from Apple, Google (Android), and Microsoft (Windows). Open-source libraries and frameworks supporting OAuth exist across languages and runtimes—examples include projects hosted by Apache Software Foundation and package ecosystems like npm, PyPI, Maven Central, and RubyGems—and are used in enterprise deployments by Salesforce, ServiceNow, and Workday.

OAuth’s ecosystem includes related specifications such as OpenID Connect for authentication, OAuth 2.0 Device Authorization Grant, OAuth 2.0 Token Exchange, and OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens. Interoperability with token formats and security tokens involves JSON Web Token, Security Assertion Markup Language, and federation protocols used by SAML deployments in organizations like Microsoft Active Directory Federation Services and Shibboleth. Governance and conformance efforts are coordinated by bodies including the IETF and OpenID Foundation, and academic research from institutions like MIT, Carnegie Mellon University, and ETH Zurich continues to influence extensions and formal analyses.

Category:Computer security