LLMpediaThe first transparent, open encyclopedia generated by LLMs

OAuth 2.0

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: GitLab Hop 3
Expansion Funnel Raw 80 → Dedup 10 → NER 9 → Enqueued 7
1. Extracted80
2. After dedup10 (None)
3. After NER9 (None)
Rejected: 1 (not NE: 1)
4. Enqueued7 (None)
Similarity rejected: 2
OAuth 2.0
NameOAuth 2.0
DeveloperInternet Engineering Task Force
Released2012
Latest releaseRFC 6749
Programming languagelanguage-agnostic
LicenseIETF standards

OAuth 2.0 is an authorization framework standardized by the Internet Engineering Task Force that delegates access to protected resources without sharing user credentials. It is widely used by technology companies, financial institutions, and social platforms to permit third-party applications limited access to user data on behalf of resource owners. Major adopters include Google, Facebook, Microsoft, Amazon (company), and Twitter, while governance and standardization involve bodies such as the Internet Engineering Task Force, World Wide Web Consortium, and national regulators.

Overview

OAuth 2.0 emerged from a need to modernize delegated authorization practices originally motivated by interoperability problems among early web portals and APIs used by firms like Myspace, Yahoo!, AOL, and startups in Silicon Valley. The specification documented in RFC 6749 and RFC 6750 formalized roles and token types used by actors such as resource servers operated by entities like Dropbox, Box, Inc., and financial providers regulated under laws such as the Gramm–Leach–Bliley Act. OAuth 2.0 complements authentication systems from providers including OpenID Connect and federated identity arrangements used by institutions like Harvard University and corporations like IBM and Oracle Corporation.

Roles and Terminology

OAuth 2.0 defines distinct actors: the resource owner, the client, the authorization server, and the resource server, roles implemented in products from Google Cloud Platform, Amazon Web Services, Microsoft Azure, and Auth0. The resource owner can be an end user at organizations such as Facebook or LinkedIn, or a machine identity used in deployments by Netflix or Spotify. Authorization servers are often provided by identity vendors such as Okta, Ping Identity, ForgeRock, or platform operators like Apple Inc. and Salesforce. Resource servers map to API endpoints hosted by services including GitHub, Stripe (company), PayPal, and telecom providers such as AT&T.

Authorization Grants and Flows

OAuth 2.0 specifies grant types and flows including the authorization code, implicit, resource owner password credentials, and client credentials flows, each used by different ecosystems: web applications at Google, single-page applications in firms like Airbnb, mobile apps from Uber (service), and backend services in enterprises such as Goldman Sachs. The authorization code flow often pairs with PKCE extensions used in mobile deployments from Apple Inc. and Google LLC. The client credentials flow is common in machine-to-machine scenarios in infrastructure companies such as Red Hat and Cisco Systems, while resource owner password credentials have historically been used in legacy integrations at banks like JPMorgan Chase and platforms like eBay. OpenID Connect, used by Microsoft and Amazon, builds an identity layer on top of the authorization code flow to federate identity across domains such as higher education consortiums like InCommon.

Security Considerations and Threats

Security analysis of OAuth 2.0 addresses threat models relevant to major incidents affecting firms including Equifax, Sony, and sectors overseen by agencies such as the Federal Trade Commission and European Commission. Threats include token interception exploited in attacks similar in impact to historical breaches at Yahoo!, authorization code injection akin to vulnerabilities reported by researchers from universities such as Stanford University and MIT, cross-site request forgery reminiscent of web exploits cataloged by organizations like OWASP and incident response teams like CERT Coordination Center. Mitigations involve TLS mandated by bodies such as the IETF, audience restriction practices used by Google and Microsoft, token binding proposals evaluated by research groups at University of Cambridge and firms like Nokia, and hardened deployments using hardware security modules from vendors such as Thales Group and Entrust.

Extensions and Profiles

The OAuth ecosystem expanded through extensions and profiles promulgated in standards and by vendors: OpenID Connect for identity at Google and Microsoft, Proof Key for Code Exchange (PKCE) adopted by Apple Inc. for iOS apps, Token Exchange used in cloud federations among AWS, Azure, and Google Cloud Platform, and Device Authorization Grant implemented by consumer services such as Netflix and Roku (company). Industry-specific profiles include Financial-grade APIs developed under initiatives like Open Banking in the United Kingdom and regulatory frameworks involving PSD2 across banks including HSBC and Barclays. Research and standards work by groups such as the IETF OAuth Working Group and organizations like FIDO Alliance inform extensions for stronger cryptographic binding and phishing resistance.

Implementations and Adoption

OAuth 2.0 is implemented across open source projects and commercial products: libraries and servers from Spring Framework, Apache Software Foundation projects, NGINX, Envoy (software), and identity platforms like Keycloak, Auth0, Okta, and ForgeRock. Major platform operators embed OAuth 2.0 into developer ecosystems at Google, Facebook, Microsoft, Amazon (company), and Twitter, enabling integrations by startups such as Stripe (company), Square (company), Airbnb, Uber (service), and enterprise customers including Accenture and Deloitte. Adoption is shaped by regulatory regimes and standards consortia including the European Commission, Bank for International Settlements, and technology alliances like Cloud Native Computing Foundation.

Category:Internet standards