What Is OAuth? Authorisation Explained
OAuth 2.0 is an authorisation framework that lets a resource owner (you) grant a third-party application limited access to a service without sharing credentials. Instead of giving an app your Google password, you approve specific scopes and receive a time-limited access token the app uses to act on your behalf.
Key OAuth 2.0 Roles
Resource Owner: the end user. Client: the third-party app. Authorisation Server: issues tokens (e.g., Google's auth server). Resource Server: holds the data (e.g., Google Drive). The Client redirects the user to the Authorisation Server, which authenticates them and asks for consent. On approval, an authorisation code is returned to the Client, which exchanges it for an access token.
Common Grant Types
Authorisation Code (+ PKCE): for web and mobile apps — safest. Client Credentials: for server-to-server calls with no user. Implicit (deprecated): was used in SPAs, replaced by Auth Code + PKCE. Device Code: for smart TVs and CLI tools where a browser redirect is impractical. Always use PKCE (Proof Key for Code Exchange) for public clients.
OAuth vs OpenID Connect
OAuth 2.0 handles authorisation (what you can do). OpenID Connect (OIDC) is a thin identity layer on top of OAuth that handles authentication (who you are). OIDC adds an ID token (a JWT) containing user identity claims. 'Sign in with Google' uses OIDC. Most modern auth systems combine both.