OAuth is everywhere β from logging in with Google to giving third-party apps permission to access your data without sharing your password.
π€ What is OAuth?
Read here
π§© Key Roles in OAuth:
Role | Who/What |
---|---|
Resource Owner | You (the user) |
Client | The app requesting access (e.g., Notion, Figma) |
Authorization Server | Google/Facebook β verifies you and issues tokens |
Resource Server | The API holding the data (e.g., Google Calendar API) |
π Typical OAuth Authorization Code Flow (for mobile/web apps)
-
App redirects user to Authorization Server
-
GET https://accounts.google.com/o/oauth2/auth?...
-
User sees a login screen.
-
-
User logs in and approves permission
- Example: βAllow this app to access your contacts?β
-
Authorization Server redirects back with a short-lived
code
- Sent to the client appβs redirect URI.
-
Client exchanges
code
foraccess_token
-
Client sends this code (and secret, if applicable) to the auth server.
-
Response:
access_token
+ optionalrefresh_token
-
-
Client uses
access_token
to call APIs- Example:
GET /contacts
withAuthorization: Bearer access_token
- Example:
-
When token expires, refresh using
refresh_token
- No need to ask the user again.
π Types of OAuth Flows (Grants)
Flow | Use Case |
---|---|
Authorization Code | Full login experience (most secure for mobile/web) |
Client Credentials | No user, app-to-app auth (e.g., backend services) |
Implicit Flow | Deprecated (was used for pure client-side apps) |
Device Code Flow | TV or CLI devices without browser input |
PKCE (for mobile) | Authorization Code Flow with extra security (for native apps, avoids needing client secret) |
π‘οΈ Why Itβs Important for You (as a Dev)
-
If youβre integrating Google Sign-In, GitHub OAuth, Spotify login, etc. β youβre using OAuth under the hood.
-
Understanding OAuth helps:
-
Avoid security mistakes (like leaking tokens)
-
Implement proper token storage (donβt store access tokens in plaintext on Android)
-
Use PKCE properly in native apps
-
-
Helps in SSO (Single Sign-On), federated identity, and secure auth flows