Inferensys

Glossary

OAuth 2.0

OAuth 2.0 is an industry-standard authorization framework that enables third-party applications to obtain limited access to a user's resources on an HTTP service without sharing their credentials.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
SECURE CREDENTIAL MANAGEMENT

What is OAuth 2.0?

OAuth 2.0 is the industry-standard protocol for delegated authorization, enabling secure, limited access to user resources without sharing passwords.

OAuth 2.0 is an authorization framework defined by RFC 6749 that enables a third-party application to obtain limited access to a user's resources hosted by an HTTP service, such as an API. It achieves this by issuing access tokens to the client application, which act as scoped, short-lived credentials, eliminating the need for the user to share their primary username and password. The core innovation is the separation of the resource owner (user), the client (application), and the resource server (API), mediated by an authorization server.

The framework defines several grant types—including Authorization Code, Client Credentials, and Resource Owner Password Credentials—to accommodate different client contexts like web apps, mobile apps, and machine-to-machine services. It is foundational for modern API security and secure credential management, enabling features like social login and delegated API access. Related protocols like OpenID Connect (OIDC) build upon OAuth 2.0 to add an identity layer for authentication.

AUTHORIZATION FRAMEWORK

Key Features of OAuth 2.0

OAuth 2.0 is an industry-standard protocol that enables secure, delegated access to HTTP-based services. It separates the role of the resource owner from the client application, allowing users to grant limited access to their data without sharing credentials.

01

Delegated Authorization

OAuth 2.0's core mechanism allows a resource owner (typically a user) to grant a client application limited access to their protected resources hosted by a resource server, without ever revealing their long-term credentials (like a password) to the client. This is achieved through an authorization grant, which the client exchanges for an access token. The token represents the scope and duration of the granted permissions, not the user's identity.

  • Example: A user grants a photo printing app (client) permission to read their photos from Google Photos (resource server) but not to delete them or access their email.
02

Granular Scopes and Permissions

Access in OAuth 2.0 is controlled through scopes. During the authorization request, the client asks for one or more scopes, which are space-separated strings defined by the resource server (e.g., read:photos, write:contacts). The user consents to these specific permissions. The resulting access token is only valid for the granted scopes, enforcing the principle of least privilege.

  • Implementation: The token is presented to the resource server's API, which validates the token and checks that its scopes permit the requested action (e.g., a GET /photos request requires a token with the read:photos scope).
03

Multiple Authorization Grant Flows

OAuth 2.0 defines several grant types (or flows) tailored to different client capabilities and security requirements. The choice of flow depends on whether the client can securely store a secret and the context in which it runs.

  • Authorization Code: For web server applications. The most secure flow, involving a server-side exchange of an authorization code for a token.
  • Authorization Code with PKCE: Essential for mobile apps and single-page applications (SPAs). Adds a proof key to prevent code interception attacks.
  • Client Credentials: For machine-to-machine (M2M) communication where a client needs to access its own resources, not a user's.
  • Resource Owner Password Credentials: A legacy flow where the user gives their username/password directly to the client. Not recommended for third-party clients.
  • Device Code: For input-constrained devices like smart TVs, where the user authorizes on a separate device.
04

Short-Lived Tokens and Refresh Mechanism

OAuth 2.0 promotes security through short-lived access tokens (often valid for minutes or hours). If an access token is compromised, its usefulness is limited. To maintain a session without requiring the user to re-authenticate constantly, the protocol provides refresh tokens. A refresh token is a long-lived credential issued alongside the access token, which the client can use to obtain a new access token when the old one expires.

  • Security Benefit: This allows for periodic re-evaluation of the authorization grant and enables token revocation. Refresh tokens must be stored with the highest security, as they grant continued access.
05

Centralized Authorization Server

A critical component of the OAuth 2.0 architecture is the authorization server. This trusted entity is responsible for authenticating the resource owner, obtaining their consent, and issuing tokens to the client. It decouples authentication logic from the resource server.

  • Key Functions: Presents the consent screen to the user, validates authorization grants, issues access/refresh tokens, and often provides a token introspection endpoint for resource servers to validate tokens.
  • Separation of Concerns: The resource server trusts tokens signed or issued by the authorization server, allowing for scalable, centralized identity and access management.
06

Bearer Token Usage

OAuth 2.0 primarily uses Bearer Tokens (defined in RFC 6750). A bearer token is a cryptic string, such as a JWT or an opaque reference, that grants access to the bearer—whoever presents it. The client includes the token in the HTTP Authorization header when calling a protected API: Authorization: Bearer <token>.

  • Security Implication: This model is simple but means anyone in possession of the token can use it. Therefore, securing the token in transit (via HTTPS/TLS) and at rest is paramount. More advanced token types, like Proof-of-Possession (PoP) tokens, are emerging to bind a token to a specific client, mitigating theft risks.
SECURE CREDENTIAL MANAGEMENT

Frequently Asked Questions

OAuth 2.0 is the industry-standard protocol for delegated authorization, enabling applications to access user resources without handling passwords. These FAQs address its core mechanisms, security considerations, and role in AI agent architectures.

OAuth 2.0 is an authorization framework that enables a third-party application to obtain limited access to a user's resources on an HTTP service without exposing the user's credentials. It works by delegating user authentication to the service that hosts the user account (the resource owner) and authorizing the third-party application (the client) to access the account via an access token. The core flow involves the user granting permission, the client receiving an authorization grant, exchanging that grant for an access token from the authorization server, and then using that token to make requests to the resource server. This separates the roles of authentication and authorization, allowing for fine-grained, revocable access without password sharing.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.