Understanding OAuth 2.0: Principles, Architecture, and Implementation

When first encountering OAuth 2.0 many people confuse it with Single Sign‑On (SSO); this guide clarifies the distinction and provides a complete tutorial on OAuth 2.0 principles and implementation.

What is OAuth 2.0

OAuth is an open authorization protocol that enables a site to share resources stored on another site without exposing the user’s credentials. A practical analogy using a WeChat account illustrates how a third‑party application can obtain limited permissions via OAuth instead of requiring the user’s password.

OAuth 2.0 Architecture

The flow involves three main entities: the resource owner (user), the client application, and the authorization server (e.g., Google, WeChat). The article outlines the step‑by‑step process from the user initiating access to obtaining an access token and using it to call protected APIs.

Key Terminology

Authentication : verifying a user’s identity, typically via username and password.

Federated Authentication : allowing multiple applications to rely on a single identity provider.

Authorization : granting permission to perform actions after authentication.

Delegated Authorization : permitting one party to act on behalf of another.

Roles : resource owner, client application, resource server, and authorization server.

Web Server

A web server hosts the client ID and secret securely and mediates requests to the resource server.

User Agent

The user‑agent (e.g., a browser‑based JavaScript app) interacts with the authorization server and obtains tokens on behalf of the user.

Native Application

Native apps (desktop or mobile) store client credentials locally and follow a similar token‑exchange flow, but must protect the secret carefully.

Summary

The article recaps the complete OAuth 2.0 process, the involved terminology, and emphasizes the importance of understanding HTTP basics to work with access tokens effectively.