What is OAuth 2.0? 

OAuth 2.0, or Open AuthorizationAuthorization in cybersecurity refers to the process of granting or denying access to resources based on an entity’s identity and level of privileges. In essence, it determines what actions a… More 2.0, is the industry standard protocol that enables users to share selected resources with third parties without giving them their credentials. OAuth 2.0 (pronounced “Oh-Auth”) essentially functions as a middleman between end-users and third-party applications, giving those applications access tokens that authorize them to specific resources the consumer has allowed. 

As the internet grew and more applications, services, and websites relied on each other, OAuth developed to facilitate need-only resource sharing without users having to repeatedly sign in to multiple websites, services, or accounts. Allowing connected sites to access limited information (like your photos only), with user permission and without making the user have to re-authenticate promotes data privacyData privacy is the process of safeguarding an individual’s personal information, ensuring it remains confidential, secure, and protected from unauthorized access or misuse. More while simultaneously increasing convenience. 

The Open Authorization protocol (OAuth 1.0) was created in 2007 by the Internet Engineering Task Force (IETF) OAuth Working Group. It was replaced in 2012 by OAuth 2.0, which, although it may seem like an update, is actually an entirely new protocol. OAuth 2.0 includes new provisions to accommodate mobile applications and is not backward compatible with OAuth 1.0. 

Why Did OAuth 2.0 Replace OAuth 1.0? 

The main reason for the OAuth 2.0 rollout was that, in practice, the ongoing digital transformationWhat is Digital Transformation? Digital transformation refers to incorporating digital technology into all business areas to create new or modify existing business processes, culture, and customer experience to fundamentally transform… More made OAuth 1.0 increasingly challenging to implement in certain use cases. OAuth 2.0 made the process more user-friendly, implementing secure and widely used HTTPS instead of complex cryptographic signatures and expanding to a broader range of applications (like mobile). 

What OAuth 2.0 Is Not 

OAuth 2.0 is a way to authorize third-party access (via tokenizationWhat is Tokenization? Tokenization is a data security technique that replaces sensitive information with non-sensitive substitutes, known as tokens. These tokens are useless to cybercriminals as they do not hold… More), not an authenticationWhat is Authentication? Authentication is the process by which the identity of a user or system is verified. It ensures that the entity attempting to access a resource is who… More method in the traditional sense. To be genuinely secure, authentication must be performed by a Federated Identity Management (FIM) protocol. 

As an example, using OAuth 2.0 for authorization (its intended purpose) is to allow a friend of a friend to go into your backyard and borrow your rake. If that friend of a friend is dishonest, the worst that can happen is they steal things from your yard, so you grant them permission (“Allow XYZ app to access Google Photos?”) 

Using OAuth 2.0 for authentication grants that same friend of a friend permission to enter your house, with no further background check than a simple authorization (“Continue,” in the OAuth world). Instead, FIM protocols intervene and subject this person to additional scrutiny, ensuring they are who they say they are before granting access to your house. 

A Real-World Example of OAuth 2.0 

In practical terms, OAuth 2.0 is the process that allows you to engage with a range of online services without having to sign into each one. It occurs when you see a “Sign in with Google” option for an online service. Because you’ve already authenticated by entering your credentials with Google, and Google has access to all your Google-hosted resources, OAuth 2.0 reconciles that so you don’t have to sign in again. OAuth 2.0 provides a level of security and convenience when it comes to engaging with other apps. 

For example, say you want to post a picture on a new mobile app and receive the pop-up message: “XYZ app wants to access your Google photos.” When you select “Continue,” you are authorizing Google to release access to your photos to the new app – but you are not allowing the app to access your credentials. This process takes place without the need to log in again. 

OAuth 2.0 reduces the number of times a user is asked to log in on the internet, which can be considerable, considering how many websites, applications, and even third parties there are. Even in-app games like those on Facebook can be silently owned by third parties, not the platform itself. Every time a user is asked to “Grant Access” to an online service or “Sign in with Google (or Yahoo, etc.),” that is an example of OAuth at work, protecting users’ privacy and preventing login burnout. 

Want to learn more? Expand your cyber vocabulary with these Essential Cybersecurity Acronyms and Definitions.