OAuth 2.0
OAuth 2.0 is an authorization protocol that allows users to grant third-party applications access to their resources without sharing passwords. It enables delegation of access and is widely used for social login and API authorization.
# WHAT TEAMS RUN INTO
- —
OAuth is vulnerable to redirect attacks if not carefully implemented. An application can redirect users to fake OAuth authorization screens or intercept authorization codes in transit.
- —
OAuth tokens lack built-in revocation. If a user revokes an application's access at the OAuth provider, previously issued tokens can remain valid until they naturally expire, allowing ongoing access.
- —
OAuth scope is often too broad. Applications request 'all access to everything' and users approve without understanding what permissions they are delegating. Scope becomes security theater.
# WHY IT MATTERS
OAuth 2.0 solved a real problem — how to let third-party applications access user data without the user sharing passwords with those applications. But OAuth is an authorization protocol, not an authentication protocol. It proves that a user can access a resource, but it does not prove who the user is. That distinction matters — OAuth is often used for authentication, and it fails at authentication when users don't understand what they are authorizing.