OAuth 2.0

OAuth 2.0 is the standard protocol for delegated authorization — letting a third-party application access resources you control on another service without handing over your password. “Sign in with Google,” “Connect your GitHub account,” “Grant Zapier access to your Gmail” all use OAuth.

The four roles: resource owner (the user), client (the third-party app), authorization server (the OAuth-issuing service, e.g., accounts.google.com), resource server (the API the client wants to call, e.g., gmail.googleapis.com).

The most common flow (authorization code with PKCE):

1. Client redirects user to the auth server.
2. User logs in and approves the requested scopes.
3. Auth server redirects back with a one-time authorization code.
4. Client exchanges the code (plus PKCE verifier) for an access token.
5. Client calls the resource server with the access token.

OAuth 2.0 is authorization-only. OpenID Connect (OIDC) is the authentication layer on top — it adds an ID token (a JWT with claims about who the user is) so the client can know who logged in, not just “some authorized user.” Most modern “Sign in with X” flows are OIDC, not pure OAuth.