Inferensys

Glossary

OAuth 2.0

OAuth 2.0 is an authorization framework that enables third-party applications to obtain limited access to a user's resources on an HTTP service without exposing the user's credentials, using access tokens instead.
Strategy consultant facilitating AI use case discovery workshop, sticky notes on glass wall, casual corporate meeting.
AUTHORIZATION FRAMEWORK

What is OAuth 2.0?

OAuth 2.0 is the industry-standard protocol for delegated authorization, enabling secure, token-based access to APIs without sharing user credentials.

OAuth 2.0 is an authorization framework that enables a third-party application to obtain limited access to a user's resources on an HTTP service. It achieves this by issuing access tokens to the client application, which are then presented to the resource server (API) instead of the user's primary credentials. This delegation model is fundamental to modern API security, separating the roles of the resource owner (user), client (application), authorization server, and resource server.

The framework defines several grant types—such as Authorization Code, Client Credentials, and Refresh Token—to accommodate different client capabilities and trust levels. In a zero-trust API gateway, the gateway acts as the OAuth client and Policy Enforcement Point (PEP), validating tokens via token introspection and enforcing least privilege access based on token scopes. This prevents AI agents and other services from exceeding their authorized permissions when calling backend APIs.

AUTHORIZATION FRAMEWORK

Core Components of OAuth 2.0

OAuth 2.0 is an authorization framework that enables third-party applications to obtain limited access to a user's resources on an HTTP service without exposing the user's credentials, using access tokens instead. This section details its fundamental building blocks.

01

Access Tokens

An Access Token is a credential used by a client application to access protected resources on behalf of a resource owner (user). It is a string, often a JSON Web Token (JWT), representing specific scopes and duration of access granted by the authorization server.

  • Bearer Tokens: The most common type, presented as-is by the client. Possession alone grants access.
  • Structure: Tokens can be opaque (random strings) or self-contained (JWTs containing claims).
  • Lifespan: Typically short-lived (minutes/hours) to limit risk if compromised. Refresh Tokens are used to obtain new access tokens.
02

Authorization Grant Flows

An Authorization Grant is a credential representing the resource owner's authorization. OAuth 2.0 defines several grant types for different client scenarios:

  • Authorization Code Grant: For server-side web apps. The most secure flow, involving a client redirect to an authorization server and an exchange of an authorization code for a token.
  • Client Credentials Grant: For machine-to-machine (M2M) communication where a client acts on its own behalf, not a user's.
  • Refresh Token Grant: Used to obtain a new access token using a refresh token.

Other flows include Implicit Grant (deprecated) and Resource Owner Password Credentials (not recommended).

03

Scopes and Permissions

Scopes are space-separated strings that specify the exact permissions being requested by the client. They limit an access token's capabilities to a subset of the user's total permissions.

  • Purpose: Implement the principle of least privilege. A token for read:contacts cannot delete contacts.
  • Definition: Scopes are defined by the resource server (e.g., api:read, files:write).
  • User Consent: During authorization, the user is presented with the list of requested scopes for approval.
  • Token Validation: The resource server must validate that the token's scopes permit the requested action.
04

Authorization Server

The Authorization Server is the central engine of OAuth 2.0. It authenticates the resource owner, obtains their consent, and issues access tokens to clients after successfully validating authorization grants.

Core Functions:

  • Token Endpoint: Client-facing API that issues access and refresh tokens (used in Authorization Code and Client Credentials flows).
  • Authorization Endpoint: User-facing endpoint where the resource owner authenticates and grants consent.
  • Token Introspection Endpoint (RFC 7662): Allows resource servers to query the active state and metadata of a token.
  • Client Registration: Manages pre-registration of confidential clients (those capable of securing a secret).
05

Resource Server

The Resource Server hosts the protected resources (APIs, user data) and accepts and responds to protected resource requests using access tokens. Its primary responsibility is to validate access tokens and enforce scopes.

Key Actions:

  • Token Validation: Verify the token's signature (if a JWT), issuer, audience, and expiration.
  • Scope Enforcement: Check that the token contains a scope permitting the requested HTTP method and endpoint.
  • Policy Enforcement: Acts as the Policy Enforcement Point (PEP), denying requests with invalid or insufficiently scoped tokens.
  • It relies on the authorization server for token issuance and introspection.
06

Client Types & Profiles

OAuth 2.0 defines clients based on their ability to maintain confidentiality of credentials, which determines which grant flows they can use.

  • Confidential Clients: Capable of securely storing a client secret (e.g., server-side web applications). Can use the Authorization Code grant.
  • Public Clients: Unable to store secrets reliably (e.g., single-page apps, native mobile apps). Use flows like Authorization Code with PKCE.

Key Security Profiles:

  • Proof Key for Code Exchange (PKCE): Extension (RFC 7636) for public clients to prevent authorization code interception attacks.
  • Native App Best Practices: Guidelines (RFC 8252) for implementing OAuth in mobile and desktop apps.
COMPARISON

OAuth 2.0 Grant Types

A comparison of the five primary OAuth 2.0 grant types, detailing their use cases, security profiles, and suitability for different client types.

Grant TypePrimary Use CaseClient TypeUser InvolvementSecurity ProfileToken Flow

Authorization Code

Server-side web applications

Confidential

High (PKCE optional)

Two-step: code for tokens

Authorization Code with PKCE

Single-page apps & mobile apps

Public

High (mandatory PKCE)

Two-step with code verifier/challenge

Client Credentials

Machine-to-machine (M2M) / service accounts

Confidential

Medium (client auth only)

Direct: client ID/secret for tokens

Resource Owner Password Credentials

Legacy migration (highly discouraged)

Confidential (trusted)

Low (exposes user credentials)

Direct: username/password for tokens

Device Code

Input-constrained devices (TVs, IoT)

Public

Medium (user polls from another device)

Two-step: device/user codes for tokens

Refresh Token Support

Obtaining new access tokens without re-prompting user

Confidential & Public (with PKCE)

Varies by flow

Uses existing refresh token

Recommended for AI Agents

Secure, auditable API access on behalf of users

Confidential (server-side)

High (uses Authorization Code)

Two-step, server-handled exchange

Default in Zero-Trust Gateways

Validating and brokering access for all clients

All

High (gateway acts as PEP)

Gateway orchestrates appropriate flow

ZERO-TRUST API GATEWAYS

Frequently Asked Questions

OAuth 2.0 is the foundational authorization framework for modern API security. These questions address its critical role in enabling secure, token-based access for AI agents and autonomous systems within a zero-trust architecture.

OAuth 2.0 is an authorization framework that enables a third-party application to obtain limited access to a user's resources on an HTTP service without exposing the user's credentials. It works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access the user account via access tokens. The core flow involves four key roles: the Resource Owner (user), the Client (application requesting access), the Resource Server (API hosting protected data), and the Authorization Server (issues tokens). The client redirects the user to the authorization server, which authenticates the user and obtains consent. Upon approval, the authorization server issues an access token (and often a refresh token) to the client, which then presents this token to the resource server to access protected APIs. This token-based model is fundamental for zero-trust API gateways, which validate every token for every request, enforcing the principle of 'never trust, always verify.'

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.