The Basics of OAuth 2.0

Learn more about OAuth 2.0 and its components.

OAuth 2.0 isn’t an authentication protocol but rather an authorization protocol. Its main purpose is to give access to resources like user data, remote APIs, and so on. The difference between authorization and authentication can often be tricky to understand. The authentication process involves verifying who the user is. Once a user has been authenticated, the authorization process involves deciding which resources a user can access and modify.

OAuth 2.0 does its main job with the help of access tokens. An access token, which is often a JSON Web Token (JWT) formatted token, is used to access resources in place of the user. The token issuers can add the data of their choice to these tokens. Moreover, the access tokens may have an expiration date for security purposes.

The components of OAuth 2.0

Let’s look at some of the most important components of the OAuth 2.0 specification.


Roles define the fundamental and important components of an OAuth 2.0 system. The following roles are at the core of OAuth 2.0’s authorization system:

  • Resource owner
  • Client
  • Authorization server
  • Resource server

The resource owner is the owner of the secured resources. It holds the power to permit the use of those resources.

The client is the entity that needs permission to access the secured resources that are owned by the resource owner. In the context of OAuth 2.0, the client should have the appropriate access token to gain access to those resources.

The authorization server is where all the requests for access tokens from the client are directed. This server first authenticates the requests and then issues the access tokens after getting consent from the resource owner. The authorization server supports two endpoints:

  • Authorization endpoint: This endpoint handles the interactive authentication process and consent of the user.
  • Token endpoint: This endpoint is used in machine-to-machine communication.

The resource server hosts the secured resources that the client wants to use. Upon receiving access requests from the client, it first accepts and verifies an access token and then returns the requested resources to it.


OAuth 2.0 scopes restrict an application’s access to a user’s account. They specify the purposes that require permission to access the resources. When an application requests for one or more scopes, the information regarding the requested scopes is displayed to the user in the consent screen. The access token issued to the application is limited only to the scopes granted.

Note: OAuth doesn’t define any particular values for scopes. The acceptable scope values and the corresponding resources are dependent on the resource server.