What is OAuth 2.0?
OAuth 2.0 is an open authorization framework (RFC 6749) that lets a user grant a third-party application limited access to their resources on another service — without sharing their password. Instead of credentials, the user's identity provider issues a short-lived access token that the application uses to make API calls on the user's behalf.
OAuth 2.0 solves the delegation problem: how can you let one service act on your behalf with another service without giving it your password? The classic example is "Sign in with Google" — you authorize an app to read your Google profile, and Google gives the app a token scoped to just that permission, expiring after a short time.
The four main OAuth 2.0 flows (called grant types) address different client environments. The Authorization Code flow (with PKCE for public clients) is the standard for web apps and mobile apps: the user is redirected to the authorization server, authenticates, approves the requested scopes, and is redirected back with a short-lived authorization code that is exchanged for an access token. The Client Credentials flow is for machine-to-machine authentication where no user is involved — a service authenticates directly with its client ID and secret. Device Code flow handles input-constrained devices like smart TVs. Implicit flow is deprecated.
Access tokens are often JWTs, allowing the receiving API to verify the token without calling back to the authorization server. Refresh tokens (longer-lived) allow clients to obtain new access tokens after expiry without re-prompting the user.
OpenID Connect (OIDC) is a thin identity layer on top of OAuth 2.0 that adds a standardised ID token (always a JWT) containing claims about the authenticated user. Most "Sign in with X" implementations use OIDC.
OAuth 2.0 does not define how tokens are stored, what scopes mean, or how the authorization server behaves internally — these are left to the implementation.