What Is OAuth? | Microsoft Security (2024)

OAuth is a technological standard that allows you to authorize one app or service to sign in to another without divulging private information, such as passwords. If you’ve ever received a message such as, “Sign in with Facebook?” or “Allow this application to access your account?” you’ve seen OAuth in action.

OAuth stands for Open Authorization—not authentication, as it’s sometimes assumed to be. Authentication is a process that verifies your identity. OAuth does involve your identity, but its purpose is to grant permission to seamlessly connect to you with different apps and services without requiring you to create a new account. OAuth provides that simplicity of experience by giving you the option to authorize two apps to share some of your data without revealing your credentials. It strikes a balance between convenience and security.

OAuth is designed to work with Hypertext Transfer Protocol (HTTP). It uses access tokens to prove your identity and allow it to interact with another service on your behalf. In the event that this second service suffers a data breach, your credentials on the first service will remain safe. OAuth is a widely adopted, open-standard protocol and most developers of websites and apps use it.

Importantly, OAuth does not grant a third-party app or service unlimited access to your data. Part of the protocol is specifying what data the third party is allowed to access and what it can do with that data. Setting such limitations, and protecting identities in general, are especially critical in business scenarios where many people have access to a wealth of sensitive and proprietary information.

Access tokens are what make OAuth secure to use. An access token is a piece of data that contains information about the user and the resource the token is intended for. A token will also include specific rules for data sharing.

For example, you may want to share photos from your social media profile with a photo editing app, but you only want it to have access to some of your photos. It also doesn’t need to access your direct messages or friends list. The token only authorizes access to the data you approve. There may also be rules governing when the application can use that token—it might be for a single use or for recurring uses—and an expiration date.

The OAuth process is mostly a machine-to-machine interaction with just a few touchpoints for the user. In some scenarios, you may not need to provide your approval because it is being silently handled in the background by software. Two OAuth examples of this would be in an enterprise work scenario, where an identity platform handles connections between resources to reduce IT friction for a large number of users, or in interactions between some smart devices.

Like many technologies that simplify something tedious—in this case, manually creating accounts in multiple apps—OAuth has been almost universally adopted by app creators. It has a wide variety of use cases for people and businesses.

To give one OAuth example, suppose that you are using Microsoft Teams as a collaboration tool and want to access more information about the people you’re working with, both inside and outside of your organization. You decide to enable the LinkedIn integration so you can learn more about people as you interact with them, without leaving Teams. Microsoft and LinkedIn would then use OAuth to authorize the linking of your accounts with your Microsoft identity.

Another scenario using OAuth would be if you were to download a budgeting app to help you keep track of your spending with alerts and visual aids, like graphs. To do its job, the app would need access to some of your banking data. You could initiate a request to link your bank account with the app, authorizing only access to your account balance and transactions. The app and your bank would use OAuth do this exchange of information on your behalf without revealing your bank sign-in credentials to the app.

Another OAuth example would be if you were a developer using GitHub and you learn there is a third-party app available that can integrate with your account to perform automated code reviews. You go to the GitHub Marketplace and download the app. It would then ask you to authorize a connection with the app using your GitHub identity—a process that would be handled using OAuth. The reviewing app could then access your code without you having to sign in to both services every time.

The original OAuth 1.0 was developed only for websites. It’s not widely used today because OAuth 2.0 is designed for both apps and websites, plus it’s faster and easier to implement. OAuth 1.0 doesn’t scale like OAuth 2.0, and it only has three possible authorization flows compared to six with OAuth 2.0.

If you’re planning to use OAuth, it’s best to use version 2.0 from the outset. Unfortunately, OAuth 1.0 can’t be upgraded to OAuth 2.0. OAuth 2.0 was intended to be a radical redesign of OAuth 1.0 and several major tech companies contributed feedback about its design. A website can support both OAuth 1.0 and OAuth 2.0, but the creators intended that 2.0 would completely replace 1.0.

OAuth and Open ID Connect (OIDC) are closely related protocols. They are similar in that they both play a part in giving one application access to another application’s resources on a user’s behalf. The difference is that while OAuth is used for authorization to access resources, OIDC is used for authentication of a person’s identity. Both have a role to play in enabling two unrelated apps to share information without compromising user data.

Identity providers typically use OAuth 2.0 and OIDC together. OIDC was developed specifically to enhance the capabilities of OAuth 2.0 by adding an identity layer to it. Because it’s built on OAuth 2.0, OIDC isn't backwards compatible with OAuth 1.0.

Using OAuth 2.0 with your websites and apps can improve your user or employee experiences dramatically by simplifying the identity authentication process. To get started, invest in an identity provider solution, such as Microsoft Entra, that protects users and data with built-in security

Microsoft Entra ID (formerly Azure Active Directory) supports all OAuth 2.0 flows. App developers can use ID as a standards-based authentication provider to help them integrate enterprise-scale, modern identity capabilities into apps. IT admins can use it to control access.