OAuth 2.0 is a authorisation framework that allows users to grant limited access to their data without having to share passport. This is used when you want to leverage authentication using external services like Google, Facebok, Github etc. You can also grant access to certain systems like Google Drive. OAuth 2.0 uses ascopes to restrict who can access what.
Scenario
You are building an application that integrates with Google Drive and you want users to upload files to Google Drive from your application. However, due to security reasons, you don’t want to store user’s credentials. Here’s where OAuth 2.0 comes in, and users can grant temporary access and can restrict the resources.
OAuth Flows
| Flow | Best For | Requires a Backend? |
|---|---|---|
| [[Authorisation Code | Authorisation Code]] | Web apps (frontend + backend) |
| [[Implicit Flow | Implicit Flow]] | Single-page apps (deprecated) |
| [[Client Credentials | Client Credentials]] | Server-to-server communication |
| [[Device Code | Device Code]] | TVs, smart devices (no browser input) |
Important
To be able to even use OAuth, you need to have the following:
- Redirect URI: required by provider so it knows where it should redirect back after successful authorisation
- Scope: The scope access
- auth URL: url to which you need to redirect a user to when trying to auth the app
- clientID: usually required by provider to understand who asks for granting permissions