Inferensys

Glossary

OAuth 2.0

OAuth 2.0 is an industry-standard authorization framework that enables third-party applications to obtain limited access to a user's resources on an HTTP service, without sharing the user's credentials.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
AUTHORIZATION FRAMEWORK

What is OAuth 2.0?

OAuth 2.0 is the industry-standard protocol for delegated authorization, enabling secure, limited API access without sharing user passwords.

OAuth 2.0 is an authorization framework that enables a third-party application to obtain limited access to a user's resources on an HTTP service. It achieves this by issuing access tokens to the client application after the resource owner (user) grants consent, eliminating the need for the client to handle the user's primary credentials. The core specification defines roles like the resource server, authorization server, and several standardized grant flows (e.g., Authorization Code, Client Credentials) to accommodate different client types.

For AI agents and tool-calling architectures, OAuth 2.0 provides the secure handshake for authenticating with external APIs. Agents must execute the appropriate grant flow, manage token lifecycles, and respect defined scopes. Key related concepts include OpenID Connect (OIDC) for identity, Bearer Tokens for API requests, and PKCE for securing public clients. This framework is foundational within API authentication flows, ensuring agents can act on a user's behalf within strictly defined permissions.

GRANT TYPES

Core OAuth 2.0 Grant Types (Flows)

OAuth 2.0 defines several standardized authorization flows, or grant types, each designed for a specific client type and security context. Selecting the correct flow is critical for secure API access.

01

Authorization Code Flow

The primary, most secure flow for server-side web applications. It involves a two-step process where the client first receives an authorization code via the user's browser, then exchanges this code for an access token and a refresh token via a secure back-channel request from the server.

  • Use Case: Traditional web applications with a backend server.
  • Security Benefit: The access token is never exposed to the user's browser or public client.
  • Key Components: Redirect URI, authorization code, client secret.
02

Authorization Code Flow with PKCE

An extension of the Authorization Code flow designed for public clients that cannot securely store a client secret, such as mobile apps and single-page applications (SPAs). It uses a Proof Key for Code Exchange to prevent authorization code interception attacks.

  • PKCE Mechanism: The client creates a cryptographically random code_verifier and sends a derived code_challenge with the initial request. It must later present the original code_verifier to exchange the code for a token.
  • Use Case: Native mobile apps, JavaScript-based SPAs.
  • RFC Standard: Defined in RFC 7636.
03

Client Credentials Flow

A machine-to-machine (M2M) flow where a client application uses its own credentials to authenticate directly with the authorization server and obtain an access token. This flow does not involve a user context.

  • Use Case: Service accounts, daemons, backend microservices communicating with other APIs.
  • Token Scope: The access token is scoped to the client's own permissions, not a user's.
  • Authentication: Typically uses a client ID and client secret (or a signed JWT).
04

Device Authorization Flow

A flow designed for input-constrained devices that lack a browser or easy text input, such as smart TVs, gaming consoles, or IoT devices. The device initiates the flow and provides a user code and verification URI for the user to complete authorization on a secondary device.

  • Process:
    1. Device requests a user code from the authorization server.
    2. Device displays the code and URI (e.g., https://example.com/activate).
    3. User visits the URI on a phone/computer, enters the code, and consents.
    4. Device polls the authorization server until the user completes the step, then receives tokens.
  • Use Case: Devices with limited input capabilities.
05

Resource Owner Password Credentials Flow

A flow where the user provides their username and password directly to the client application, which then exchanges them for an access token. This flow is highly discouraged due to significant security risks.

  • Risks: The client application gains direct knowledge of the user's long-term credentials, violating core OAuth principles. It should only be used when other flows are impossible.
  • Limited Use Case: Migrating legacy systems to OAuth 2.0, or for highly-trusted first-party clients (e.g., a company's own mobile app).
  • Deprecation: Modern security best practices strongly favor the Authorization Code flow with PKCE instead.
06

Implicit Flow (Deprecated)

A legacy flow where the access token was returned directly in the URL fragment of the redirect URI after user consent, without an intermediate authorization code. This flow is now obsolete and deprecated in the OAuth 2.1 specification due to inherent security vulnerabilities.

  • Security Flaws: The access token is exposed in the browser history and to any JavaScript on the page, making it susceptible to theft.
  • Modern Replacement: The Authorization Code Flow with PKCE provides the same client profile support (SPAs) with vastly improved security and is the required standard for public clients.
  • Historical Context: Was once recommended for single-page applications before PKCE was standardized.
CORE ENTITIES

OAuth 2.0 Roles and Components

This table defines the four primary roles and key components that interact within the OAuth 2.0 authorization framework, detailing their responsibilities and relationships.

Role / ComponentDefinitionPrimary ResponsibilityCommon Implementation

Resource Owner

The entity capable of granting access to a protected resource. Typically, this is the end-user.

Authenticate and consent to client access requests.

End-user (human) or a system entity.

Client

The application making protected resource requests on behalf of the resource owner and with its authorization.

Initiate the authorization flow and use access tokens to access protected resources.

Web server, single-page app (SPA), mobile app, or backend service.

Authorization Server

The server that authenticates the resource owner, obtains consent, and issues access tokens to the client after successful authorization.

Issue access tokens and refresh tokens. Validate client credentials and authorization grants.

Dedicated service (e.g., Keycloak, Auth0, Okta) or an identity provider's token endpoint.

Resource Server

The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

Validate access tokens presented by clients and serve the requested protected resources if the token is valid and authorized.

API backend (REST, GraphQL) that checks token signatures, scopes, and expiration.

Authorization Grant

A credential representing the resource owner's authorization, used by the client to obtain an access token.

Convey the client's right to request a token. Types include authorization code, implicit, client credentials, and resource owner password.

An authorization code string, a set of client credentials, or a username/password pair.

Access Token

A credential used to access protected resources. A string denoting specific scopes, lifetime, and other access attributes.

Convey authorization information from the client to the resource server.

Opaque string or a structured JSON Web Token (JWT).

Refresh Token

A credential used to obtain a new access token when the current one expires, without re-prompting the resource owner.

Maintain persistent access for a client within the bounds of the original consent.

Long-lived, opaque string issued by the authorization server and stored securely by the client.

Scope

A mechanism to limit an application's access to a user's account. Represents a specific permission.

Define the breadth of access granted by the resource owner to the client.

Space-delimited list of strings (e.g., 'read:contacts write:calendar').

OAUTH 2.0

Frequently Asked Questions

Answers to common technical questions about the OAuth 2.0 authorization framework, focusing on its mechanisms, security, and integration for AI agents and backend systems.

OAuth 2.0 is an industry-standard authorization framework that enables a third-party application to obtain limited access to a user's resources on an HTTP service without exposing the user's credentials. It works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access the user account with an access token.

The core flow involves four key roles:

  • Resource Owner: The user who owns the data.
  • Client: The third-party application requesting access.
  • Authorization Server: The server that authenticates the user and issues tokens.
  • Resource Server: The API server hosting the protected data.

The client redirects the user to the authorization server. After the user authenticates and grants consent, the authorization server issues an access token to the client. The client then uses this token to make authorized requests to the resource server on the user's behalf.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.