OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

2025年3月1日 · OAuth Working Group Specifications Current active drafts in the OAuth working group Active Drafts

OAuth 2.0 Servers, written by Aaron Parecki and published by Okta, is a guide to building an OAuth 2.0 server, including many details that are not part of the spec.

User Authentication with OAuth 2.0 The OAuth 2.0 specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs. OAuth is used in a wide variety of applications, …

An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. Learn more about OAuth 2.0 »

2007年9月5日 · OAuth has built in support for desktop applications, mobile devices, set-top boxes, and of course websites. Many of the protocols today use a shared secret hardcoded into your software to communicate, something which pose an issue when the service trying to access your private data is open source.

PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use client authentication.

Confidential clients are applications that are able to securely authenticate with the authorization server, for example being able to keep their registered client secret safe. Public clients are unable to use registered client secrets, such as applications running in a browser or on a mobile device. More resources Terminology (oauth.com)

Scope is a mechanism in OAuth 2.0 to limit an application's access to a user's account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will …

The core OAuth 2.0 specification defines the "client password" (e.g. client secret) client authentication type, which defines the client_secret parameter as well as the method of including the client secret in the HTTP Authorization header.