Skip to main content

OAuth 2.0 - Secure Delegated Authorization

About 2 min read

OAuth is an authorization protocol for securely delegating access permissions without handing the user's password to a third party. It is widely used as the foundational technology for social login features such as "Sign in with Google" and "Sign in with Twitter." The current mainstream is OAuth 2.0, which is standardly adopted in web applications and mobile apps. As of 2025, the drafting of OAuth 2.1 is underway, strengthening security through measures such as making PKCE mandatory and abolishing the implicit flow.

The Difference Between OAuth and SSO

OAuth and SSO are concepts that are easily confused, but they serve different purposes. OAuth is an "authorization" protocol that handles the delegation of permissions, such as "allow this app to access my photos." SSO, on the other hand, is an "authentication" mechanism whose purpose is "accessing multiple services with a single login." In practice, it is common to use OAuth as the foundation for SSO by adding an authentication layer called OpenID Connect (OIDC) on top of OAuth. In other words, OAuth can be regarded as one of the technical building blocks for realizing SSO.

How OAuth Works

In OAuth, the user authenticates with an authorization server, and an access token is issued. The application uses this token to access APIs and never handles the user's password directly. The token is assigned a scope (the range of permissions) and an expiration, granting only the minimum necessary access rights. Using a refresh token, the access token can be renewed without re-authenticating the user.OAuth and web security books on Amazon offer detailed learning resources.

Real-World Use Cases

"We adopted OAuth 2.0 + PKCE for the authentication foundation of a new internal tool. We set the access token expiration to 15 minutes and designed it to renew automatically with a refresh token."

The OAuth Authorization Flow

App sends authorization request
User approves permissions
Authorization code issued
Access token obtained
API access

Practical Considerations and Pitfalls

When using OAuth, it is important to keep the permissions granted to an application to a minimum. Be cautious of apps that request unnecessary permissions, such as "access to contacts" or "reading email." A common pitfall in practice is leaving OAuth integrations unattended after setting them up. Periodically review the integrations of apps you no longer use, and revoke unnecessary permissions. The security of the main account you link via OAuth (such as Google or Apple) is also extremely important. If the main account is compromised, all linked services are affected. Protect the main account with a unique, strong password for each service and two-factor authentication.web application security books (Amazon) are also a helpful reference.

Related Terms

Was this article helpful?

XHatena