How OAuth 2.0 Works - Understanding Authentication vs Authorization

12 min read | 2025.12.02

SecurityAuthentication

The Difference Between Authentication and Authorization

Before understanding OAuth 2.0, let’s clarify the difference between authentication and authorization:

  • Authentication: Confirming “Who are you?”
  • Authorization: Allowing “What can you do?”

OAuth 2.0 is an authorization protocol: It’s a mechanism that allows third-party applications to access resources without sharing user credentials.

OAuth 2.0 Actors

  • Resource Owner: The user (owner of the data)
  • Client: The application requesting access
  • Authorization Server: Server that issues access tokens
  • Resource Server: Server hosting protected resources

Authorization Code Flow

The most secure and common flow:

  1. Client redirects user to authorization server
  2. User logs in and grants permissions
  3. Authorization server returns authorization code to client
  4. Client exchanges authorization code for access token
  5. Access resources with access token
# 1. Authorization Request
GET /authorize?
  response_type=code
  &client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.com/callback
  &scope=read:user
  &state=random_string

# 4. Token Request
POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=AUTHORIZATION_CODE
&redirect_uri=https://yourapp.com/callback
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET

Types of Tokens

Access Token

  • Short-lived token for accessing resources
  • Usually expires in 15 minutes to 1 hour
  • Sent via Authorization: Bearer header

Refresh Token

  • Token for obtaining new access tokens
  • Long validity (days to months)
  • Must be stored securely
# Refreshing access token with refresh token
POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&refresh_token=YOUR_REFRESH_TOKEN
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET

Scopes

Scopes limit the operations allowed by an access token:

  • read:user - Read user information
  • write:posts - Create/edit posts
  • delete:comments - Delete comments

Principle of Least Privilege: By requesting only the minimum necessary scopes, security risks can be reduced.

Summary

OAuth 2.0 is a mechanism that allows secure delegation of resource access without sharing passwords. By understanding access tokens, refresh tokens, and proper scope design, you can build secure applications.

Recommended Articles

Concepts

How JWT Works - Understanding Token-Based Authentication

SecurityAuthentication
Concepts

Types of Authentication Methods - Comparing Sessions, Tokens, and OAuth

SecurityAuthentication
Concepts

Complete Guide to Authentication and Authorization Patterns - Designing Secure Access Control

SecurityAuthentication
Concepts

How OAuth 2.0 and OpenID Connect Work - Authentication and Authorization Design Principles

AuthenticationSecurity
Concepts

Web Security Best Practices - OWASP Top 10 Countermeasures

SecurityDesign
Concepts

Web Security Fundamentals - OWASP Top 10 and Practical Defenses

SecurityOWASP
← Back to list