Authentication Protocols User Authentication

Guide to OAuth2 – How OAuth2 Works

This app wants to access your Location, Files, and Contacts.

If you have seen this message, you have interacted with OAuth 2 on a high level.

Previously, sharing information between apps was relatively straightforward. The process came as a service used to share a user’s login details with another app to grab whatever it wanted.

However, with new malware pieces detected daily – about 560,000, a change of routine in the information exchange methods was inevitable. 

That’s why OAuth was designed.

Today, we’ll dive in to learn about OAuth2, how it works, and some real-world examples. But before that, let’s first clear one thing out of the way – Authorization vs. Authentication.      

Understanding Authorization & Authentication

OAuth2 is an authorization protocol, but some confuse it with authentication. 

So, here are some key differences between authorization and authentication:

  • Authorization determines the resources a user can access, whereas authentication verifies the user.
  • Authorization deals with settings implemented by an organization. On the split side, authentication is something provided or entered by a user, like a password, biometric face scans, etc.
  • Authentication is done first, and then authorization is given. 

OAuth2 – The New Standard Authorization Protocol

OAuth2 is an Open Standard Authorization framework based on the access token system. 

Without sharing user credentials, it enables apps like Facebook, Google, Github, etc., to provide account information like name, gender, etc., to third-party apps.

OAuth2 delegates user authentication to the service that hosts the user account. Then, the host, like Google, acts as an intermediary on the user’s behalf to share information with other services like Zapier using access tokens, authorization codes, etc.

So, OAuth2 provides restricted actions and consented access to what a third-party app can perform.

Note: The main platform for OAuth2 is the web. But it also shows how to handle access from other client types, including server-side web apps, connected devices, native/mobile apps, etc.  

How OAuth2 Works & Some Aftermath

Learning the Basics – Roles of OAuth2

An OAuth2 system consists of the following four components:

Resource Owner

A user who owns the protected resources and has the authority to access them is known as a resource owner.

Authorization Server

The app that hosts the account of the Resource Owner, like Facebook, Google, Github, etc. An Authorization Server gives the green light on behalf of the user by providing access tokens to third-party services.

Authorization Server consists of two endpoints, Authorization and Token. The authorization endpoint handles the communication between authentication and user consent. Whereas the latter deals in the machine to machine interaction.  


A system that requires a Resource Owner to provide access to protected assets. However, the client must have appropriate access tokens.

Resource Server

A server that contains the data of the users a Client want to access. This server also accepts, validates, or rejects access tokens from the Client.    

OAuth2 Workflow – An Easy Step-by-Step Guide

Before OAuth2.0 can be used, the Client must acquire credentials from the Authorization Server – client id and client secret. Without it, the server won’t identify and authenticate it when requesting an access token.

Here’s an easy step-by-step guide to what happens when a Client initiates a request:

1. An Authorization Request is sent by the Client with the client id and client secret to the Authorization Server. Moreover, the Client also sends the Scopes and an Endpoint URI, where it will receive the access token or the authorization code.

2. The Authorization Server provides authentication to the Client and verifies whether the provided Scopes are permitted.

3. The Resource Owner links up with Authorization Server to provide access to information as per their preference.

4. Now, the Authentication Server provides the Client with a refresh token, access token, or authorization code – depending on the grant type.

5. With the access token/refresh token/authorization code, the Client can successfully request resource access from the Resource Server.        

Scopes in OAuth2

Scopes are used to specifying the reasons for requiring access to the asked resources. It limits an app’s access to a resource owner’s data.

When a client sends an Authorization Request to the authorization server, it includes the list of scopes. The server uses contents inside the list to generate consent screens for the user.

The authorization server only provides access to the scopes that the user grants. So, if your customer allows your app to access their location, it will stay scoped to it. Your app won’t be able to use the access token/code to see their location.  

How to Setup OAuth2 – Enter Vault Vision

Want to set up OAuth2 for your business website or app? Say hello to Vault Vision.

At Vault Vision, we make authentication and authorization seamless, fast, and easy for everyone.

We are certified by Open ID Connect and regularly tested to promise our customers ultra-secure authorization.

To integrate your service with OAuth2, we provide hassle-free, non-technical, and easy no-code setups. Moreover, we provide preconfigured setups and starter kits to get you up & running in no time. 

Final Words

OAuth2 is the future of authorization. It’s simple, fast, and secure. No need to directly share user credentials. Instead, rely on a trusted authorizer like Google, Facebook, etc., to pass on information to third-party services.

At Vault Vision, we can help your website/app comply with OAuth2. This way, your customers can sign up for your platform using their preferred authorizer, eliminating the risk of credential leaks.

Try our platform for just $25 monthly, or start your free trial without entering your payment details. To fly high, contact us to learn more about our Enterprise Plan.

Getting Started is Easy