OAuth is an authorization framework that lets users grant third-party applications limited access to their accounts without sharing passwords. When you click "Sign in with Google" or "Connect your GitHub account," OAuth is the protocol managing that secure handshake between the application, the identity provider, and your browser.
How It Works
OAuth 2.0 defines several authorization flows. The most common for web apps is the Authorization Code flow: your application redirects the user to the provider's login page (Google, GitHub, etc.), the user authenticates and grants permission, the provider redirects back with a temporary authorization code, and your server exchanges that code for an access token. This token lets your app access the user's data within the granted scopes.
Scopes define permission boundaries. An app might request read:email and read:profile but not write:repos. Users see exactly what permissions they are granting and can revoke access at any time.
Other flows include the Implicit flow (deprecated, for browser-only apps), Client Credentials (server-to-server without a user), and Device Authorization (for TVs, CLI tools, and devices without browsers).
Why It Matters
OAuth solves the password anti-pattern. Before OAuth, connecting two services meant giving one your password for the other. This was insecure because the app stored your password, inflexible because there was no way to limit access, and fragile because changing your password broke all integrations.
For developers, OAuth enables social login, reducing sign-up friction dramatically. Users do not create yet another password. For platforms, OAuth lets third-party developers build integrations without compromising user security.
In Practice
A project management tool wants to import issues from GitHub. Using OAuth, it redirects you to GitHub's authorization page where you approve access to your repositories. The tool receives a token scoped to read issues only. It cannot modify your code, manage collaborators, or access other organizations. It has access to only exactly what was authorized.
Common Mistakes
Never send tokens in URL parameters because they appear in server logs. Always validate the state parameter to prevent CSRF attacks. Use PKCE (Proof Key for Code Exchange) for public clients. Store refresh tokens securely server-side. Do not confuse OAuth (authorization) with OpenID Connect (authentication built on top of OAuth).