Skip to main content

What is OAuth 2.0?

What is OAuth 2.0?

OAuth 2.0 is an authorization framework that enables your integration to obtain granular access to an app and service that your customers use. Your customers are presented a simple and secure way to authorize your integration to access their accounts without sharing their username and password with you.

You're probably familiar with the "Log in with Google" or "Log in with Facebook" buttons that you see on many websites. That's OAuth 2.0 in action! You click the button, you're redirected to Google or Facebook, you click "authorize" on a consent screen that says something like "Acme Corp would like access to read your posts", and then you're redirected back to Acme.

Advantages of OAuth 2.0 over other auth methods

With OAuth 2.0, your integration can obtain access to a customer's account without requiring the customer to share their username and password. This is a more secure method of authentication than other methods, such as Basic Auth, which requires the customer to share their username and password with your integration. Plus, if you ever change your password, you don't have to update your integration with the new password - OAuth 2.0 is a password-less authentication method that relies on access and refresh tokens.

OAuth 2.0 also enables your integration to obtain granular access to a customer's account. Rather than having full access to a customer's account, your integration can request access to only the resources that it needs to function.

The OAuth 2.0 auth code flow

At a high level, the OAuth 2.0 auth code flow works like this:

  • You approach a third-party app or service and register your integration. They give you a client ID and client secret.
  • When your customer wants to grant your integration access to their account, you send them to the third-party app or service with your client ID in hand.
  • Your customer is presented with a consent screen that describes the access that your integration is requesting. They click "authorize" to grant your integration access to their account.
  • The third-party app or service redirects your customer back to your integration with an authorization code.
  • Your app exchanges the authorization code with the third-party app for an access token and sometimes a refresh token.

Once your app has an access token in hand, you can use it to make API requests on behalf of your customer. When the access token expires, you can use the refresh token to obtain a new access token.

The OAuth 2.0 client credentials flow

The goal of the client credentials grant type is the same as the auth code grant type: to give your integration granular access to a customer's account. But, the mechanism you use to obtain an access token is different.

With the client credentials grant type, you don't need to redirect your customer to a third-party app or service (or need any human interaction at all). Instead, you ask your customer to generate a client ID and client secret in the third-party app. They hand you the client ID and client secret, and you use them to obtain an access token.

This grant type is sometimes called machine-to-machine (or M2M) because it doesn't require any human interaction. You still get the benefits of OAuth (like token refresh and granular access - your token is scoped with a specific set of permissions), but you do need your customer to fetch the client ID and client secret for you.

Registering an OAuth 2.0 app

Most apps that support OAuth 2.0 allow you to build and test an OAuth 2.0 integration in a sandbox by registering your integration. Some even let you deploy your integration via OAuth 2.0 to a hand-full of customers for testing purposes.

Most, though, require some sort of review process before you can deploy your integration to all of your customers. The review process is usually pretty simple and straightforward, but it's important to know that it can take time to get your integration approved, so it's important to plan ahead.

OAuth 2.0 in Prismatic

Prismatic takes care of the OAuth 2.0 flows for you. Prismatic's OAuth 2.0 service will take care of creating an OAuth callback URL, redirecting your customer to the third-party app or service, exchanging the authorization code for an access token, and refreshing the access token when it expires.

If you're building a custom component, you just need to provide Prismatic with the authorization and token URLs for the third-party app or service that you're integrating with.