OAuth is everywhere β€” from logging in with Google to giving third-party apps permission to access your data without sharing your password.


πŸ€” What is OAuth?

Read here


🧩 Key Roles in OAuth:

RoleWho/What
Resource OwnerYou (the user)
ClientThe app requesting access (e.g., Notion, Figma)
Authorization ServerGoogle/Facebook – verifies you and issues tokens
Resource ServerThe API holding the data (e.g., Google Calendar API)

πŸ”„ Typical OAuth Authorization Code Flow (for mobile/web apps)

  1. App redirects user to Authorization Server

    • GET https://accounts.google.com/o/oauth2/auth?...

    • User sees a login screen.

  2. User logs in and approves permission

    • Example: β€œAllow this app to access your contacts?”
  3. Authorization Server redirects back with a short-lived code

    • Sent to the client app’s redirect URI.
  4. Client exchanges code for access_token

    • Client sends this code (and secret, if applicable) to the auth server.

    • Response: access_token + optional refresh_token

  5. Client uses access_token to call APIs

    • Example: GET /contacts with Authorization: Bearer access_token
  6. When token expires, refresh using refresh_token

    • No need to ask the user again.

πŸ” Types of OAuth Flows (Grants)

FlowUse Case
Authorization CodeFull login experience (most secure for mobile/web)
Client CredentialsNo user, app-to-app auth (e.g., backend services)
Implicit FlowDeprecated (was used for pure client-side apps)
Device Code FlowTV or CLI devices without browser input
PKCE (for mobile)Authorization Code Flow with extra security (for native apps, avoids needing client secret)

πŸ›‘οΈ Why It’s Important for You (as a Dev)

  • If you’re integrating Google Sign-In, GitHub OAuth, Spotify login, etc. β€” you’re using OAuth under the hood.

  • Understanding OAuth helps:

    • Avoid security mistakes (like leaking tokens)

    • Implement proper token storage (don’t store access tokens in plaintext on Android)

    • Use PKCE properly in native apps

  • Helps in SSO (Single Sign-On), federated identity, and secure auth flows