OAuth
oh-AUTH
An open standard that lets users grant third-party apps limited access to their accounts without sharing passwords.
OAuth is the protocol behind every "Sign in with Google" and "Connect your GitHub account" button you have ever clicked. Instead of giving a third-party app your Google password, OAuth lets you authorize the app to access specific parts of your Google account. The app gets a token with limited permissions. Your password stays with Google.
The flow works like this: the app redirects you to Google. Google asks "Do you want to give this app access to your email and profile?" You click yes. Google redirects you back to the app with an authorization code. The app exchanges the code for an access token. The app uses the token to read your email and profile. The app never sees your Google password.
OAuth 2.0 is the current version and is used by virtually every major platform: Google, GitHub, Facebook, Microsoft, Slack, and Salesforce. For developer tools, OAuth is how you let users connect their GitHub repos, their Slack channels, or their cloud accounts to your product. Implementing OAuth correctly matters because getting it wrong exposes your users' accounts.
Examples
A developer platform adds 'Sign in with GitHub.'
The platform registers as an OAuth app with GitHub and requests access to the user's public profile and email. When a developer clicks 'Sign in with GitHub,' they are redirected to GitHub, where they approve the request. GitHub sends the platform an access token. The platform reads the developer's username, email, and avatar. No password is collected. If the developer revokes access later, the token stops working.
A CI/CD tool accesses a user's private repos via OAuth.
The CI tool needs to clone private repos to run builds. Instead of asking for SSH keys, it uses OAuth: the user authorizes the CI tool to access their GitHub repos. GitHub issues a token scoped to repo access. The CI tool uses this token to clone repos and read branch information. The user can revoke access at any time from their GitHub settings without changing any passwords or SSH keys.
An OAuth misconfiguration leads to a security incident.
A startup configures their OAuth integration but forgets to validate the 'state' parameter in the callback. An attacker crafts a link that initiates the OAuth flow with the attacker's authorization code. When a victim clicks the link, their account is connected to the attacker's GitHub. The fix takes 5 lines of code: generate a random state on redirect, store it in the session, and verify it matches on callback.
In practice
Read more on the blog
Frequently asked questions
What is the difference between OAuth and OpenID Connect?
OAuth is about authorization: giving an app permission to access your resources (repos, files, contacts). OpenID Connect (OIDC) is built on top of OAuth and adds authentication: verifying your identity. When you 'Sign in with Google,' the app uses OpenID Connect to verify who you are and OAuth to access your profile data. In practice, most 'Login with X' implementations use both protocols together. If you just need login, you are using OIDC. If you need to access the user's data, you are using OAuth.
What are OAuth scopes?
Scopes define what the app is allowed to access. When GitHub asks 'This app wants to access your public repos and email,' those are scopes: 'repo' and 'user:email.' Scopes let users see exactly what they are granting. They let developers request only what they need. An app that only needs your name should not request access to your private repos. Users are more likely to authorize apps that request fewer, more specific scopes.
Related terms
The process of verifying who a user is, typically through credentials like a password or token.
The process of determining what actions or resources an authenticated user is allowed to access.
Single sign-on: one login that grants access to multiple applications without signing in separately to each.
A unique string that identifies and authenticates an application or user when making API requests.
Application programming interface: a defined way for software programs to communicate with each other.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.