---
url: 'https://www.corbado.com/glossary/oauth2'
title: 'OAuth 2.0'
description: 'Understand OAuth 2.0, an authentication method for securely authorizing access to user data.'
lang: 'en'
keywords: 'oauth 2.0'
---

# OAuth 2.0

## What is OAuth 2.0?

**OAuth 2.0** is a protocol that allows third-party applications to gain limited access to
a user's protected resources, without the need to expose the user's credentials. This
**authentication** method is widely adopted for its security and user convenience.

**OAuth 2.0** works by:

- Providing the user with an authorization request.
- Receiving an authorization code upon the user's consent.
- Exchanging the code for an [access token](https://www.corbado.com/glossary/access-token).
- Using the token to access the user's resources.

## Key Takeaways

> - OAuth 2.0 is a secure protocol for authorization without exposing user credentials.
> - Offers a seamless user experience by granting third-party applications limited access.
> - Predominantly used in web, mobile, and desktop applications.

---

### Origins and Popularity:

Introduced in 2012 as an evolution of its predecessor OAuth 1.0, OAuth 2.0 quickly gained
traction because of its simplified workflow and robust security features.

## Overview of important concepts in OAuth 2.0

### Roles in OAuth 2.0

- **Resource Owner**: Typically the user, they grant access to their data.
- **Client**: The third-party application seeking access.
- **Resource Server**: Stores the user data and is accessed using the
  [access token](https://www.corbado.com/glossary/access-token).
- **Authorization Server**: Authenticates the resource owner and issues the access tokens.

### Tokens Over Credentials

Unlike traditional authentication methods which require sharing credentials, OAuth 2.0
uses access tokens. These tokens have limited scopes, durations, and are revoked easily,
ensuring user data remains secure.

### Flows in OAuth 2.0

Flows in OAuth 2.0 refer to the entire process or sequence of steps that an application
follows to obtain an [access token](https://www.corbado.com/glossary/access-token). OAuth 2.0 specifies various
flows that are tailored for different application scenarios and security requirements,
e.g. the **Authorization Code Flow**, which is ideal for servers with high-security needs
and the **Implicit Flow**, which is better suited for clients that cannot securely store
credentials.

### Grants in OAuth 2.0

Grants are specific methods or mechanisms within flows that detail how an access token is
requested and obtained. They define the technical specifications for different scenarios,
such as the Authorization Code Grant or the Client Credentials Grant.

### Refresh Tokens in OAuth 2.0

OAuth Refresh Tokens extend the lifecycle of access tokens without requiring user
interaction every time they expire. These tokens are crucial in OAuth flows, particularly
when continuous access to resources is needed.

### Applications of OAuth 2.0

From enabling "Login with [Facebook](https://www.corbado.com/blog/facebook-passkeys)" on websites to letting apps
access photos from cloud storage, OAuth 2.0 has diverse applications in modern web
environments.

---

## OAuth 2.0 FAQs

### What is OAuth 2.0?

**OAuth 2.0** is a protocol that allows third-party applications to gain limited access to
a user's protected resources, without the need to expose the user's credentials.

### What are OAuth 2.0 Flows?

Flows are the entire processes or sequences of steps that an application follows to obtain
an access token in OAuth 2.0. Several flows are specified, e.g. the Authorization Code
Grant.

### What are OAuth 2.0 Grants?

Grants are specific methods in OAuth that are used to request and obtain access tokens.
They're also define for different scenarios and use cases.

### What is a refresh token in OAuth 2.0?

OAuth Refresh Tokens extend the lifecycle of access tokens without requiring user
interaction every time they expire. These tokens are very useful when continuous access to
resources is needed.

### Why is OAuth 2.0 used for authentication?

OAuth 2.0 offers robust security by eliminating the need to share credentials and
providing controlled access through tokens.

### How is OAuth different from traditional authentication?

Traditional methods require users to share credentials with third parties, risking
security. OAuth uses tokens, ensuring data safety and better user control.

### Are there any limitations of OAuth 2.0?

While OAuth 2.0 is powerful, it can be complex to implement and might not be ideal for all
applications. Regular updates and awareness of the latest security threats are essential.

### OAuth Flows vs. Grants: what's the difference?

In OAuth 2.0, the terms "flows" and "grants" are closely related and often used as
synonyms, but they describe different slightly different aspects of getting tokens.
**Flows** refer to the entire process or sequence of steps that an application follows,
while **grants** are specific methods or mechanisms within these flows that detail how an
access token is requested and obtained.