How OAuth 2.0 Secures Third‑Party Access: From Open Platforms to Authorization Code Flow

Open Platform Concept

An open platform publishes its APIs (Open API) so that third‑party applications can extend functionality or consume resources without modifying the platform’s source code. Examples include social‑login integrations such as WeChat login.

OAuth 2.0 Overview

OAuth (Open Authorization) is an authorization framework. OAuth 1.0 (2007) suffered from security and flexibility limitations. OAuth 2.0 (2011) introduced a token‑based model and multiple grant types to support web, mobile, and native applications.

Spring Security OAuth2 is a framework that implements the OAuth 2.0 protocol; Spring Security itself is a separate security framework.

Why Use OAuth 2.0?

Instead of sharing user credentials, OAuth 2.0 issues short‑lived access tokens. A token grants limited, revocable permission to protected resources, reducing the risk of credential leakage.

Typical Authorization Scenarios

1. Physical‑access analogy (Huawei interview)

A receptionist verifies an appointment and issues a temporary access card. The card represents an authorization grant that allows the holder to enter a restricted area.

2. Third‑party article‑formatting tool

A user scans a QR code in a public‑account management console and authorizes a third‑party tool. The tool receives an authorization code, exchanges it for an access_token, and then calls the open‑platform API to fetch the user’s public articles for automatic formatting.

This flow uses the Authorization Code grant, the most common and secure OAuth 2.0 flow.

Authorization Code Grant Execution Flow

The user initiates an operation from the third‑party application.

The open platform presents an authorization page where the user logs in and consents.

After consent, the platform redirects the user’s browser to the application’s callback URL with an authorization code.

The application sends a back‑channel request to the token endpoint, presenting the authorization code (and its client credentials) to obtain an access_token.

The application includes the access_token in the Authorization: Bearer header when calling protected APIs to retrieve data.

Key Technical Details

Authorization Code – a short‑lived, single‑use string issued after user consent.

Access Token – a bearer token (often a JWT) that the client presents to resource servers.

Tokens are typically valid for minutes to hours; refresh tokens can be used to obtain new access tokens without further user interaction.

All communication with the token endpoint must use TLS to protect client secrets and codes.

Summary

OAuth 2.0 provides a delegation protocol that separates authentication from authorization. By issuing an authorization code, exchanging it for an access token, and using that token to access protected resources, applications avoid handling user passwords, thereby improving security for web APIs.

References

"OAuth 2 in Action"

OAuth 2.0 Protocol Specification (RFC 6749)

Various analyses of OAuth 2.0 problem‑solving approaches