OAuth 2.

0: Detailed Architecture & Explanation

Introduction
OAuth 2.0 is an industry-standard authorization protocol that allows secure access to
resources without sharing user credentials. It is widely used for enabling third-party
applications to interact with services like Google, Facebook, and GitHub on behalf of users.
Key Components of OAuth 2.0
🔑 Resource Owner (User): The entity that owns the protected resource (e.g., a user with a
Google account).

Client (Application): The third-party application that wants to access the user’s resources.

🔒 Authorization Server: The server that authenticates the user and issues an access token.

📡 Resource Server: The API server that hosts the protected resources and validates access
tokens.

OAuth 2.0 Authorization Flow (Step-by-Step)

Step 1: User Initiates Login (Authorization Request)

The user clicks on 'Login with Google' in TaskManagerApp. The app redirects to Google's
Authorization Server.

Step 2: User Grants Permission (User Authentication & Consent)

The user logs into Google, sees a consent screen, and allows access. Google generates an
Authorization Code.

Step 3: Client Requests an Access Token

TaskManagerApp's backend exchanges the Authorization Code for an Access Token with
Google.

Step 4: Access Token Issued

Google responds with an Access Token, allowing TaskManagerApp to make API calls on the
user's behalf.

Step 5: API Request with Access Token

TaskManagerApp sends the Access Token in API requests to fetch user data.

Step 6: Token Expiry and Refresh

If the Access Token expires, TaskManagerApp uses the Refresh Token to get a new one
without user intervention.

OAuth 2.0 Grant Types

Grant Type
Authorization Code Grant
Implicit Grant (Deprecated)
Client Credentials Grant
Password Grant (Not Recommended)
Device Authorization Grant
Use Case
Secure for web & mobile apps.
Was used for single-page apps (SPA), but
now discouraged.
For server-to-server communication.
Used when a user provides a username &
password directly.
Used for smart TVs and IoT devices.
Why OAuth 2.0 is Secure?
🔐 No password sharing – The app never sees user passwords.

Token-based system – Access Tokens are short-lived and can be revoked.

📏 Scope limitation – Users control what data the app can access.

Conclusion
OAuth 2.0 is a powerful and secure authorization framework used worldwide. By
implementing OAuth correctly, applications can provide a seamless authentication
experience while ensuring user data security.

OAuth 2.0 Roles Mapped to a Real-World Example

OAuth 2.0 Role Mapped Entity in Example Description
Resource Owner User (John Doe) John Doe wants to log in to
TaskManagerApp using
Google.
Client TaskManagerApp The third-party app
requesting access to John's
Google profile.
Authorization Server Google Authorization Server Authenticates John and
issues an Authorization
Code.
Resource Server Google API Server Stores John's profile and
validates access tokens.

OAuth 2.0 Flow in Action (Step-by-Step)

1 John clicks 'Login with Google' in TaskManagerApp.
1️⃣

2️⃣TaskManagerApp redirects John to Google’s Authorization Server.

3️⃣John logs into Google & grants permission for TaskManagerApp to access his profile.

4️⃣Google generates an Authorization Code and sends it back to TaskManagerApp.

5️⃣TaskManagerApp exchanges the Authorization Code for an Access Token with Google.

6️⃣Google returns an Access Token to TaskManagerApp, which can now access John’s profile.

7️⃣TaskManagerApp requests John’s profile from the Google API Server using the Access
Token.

8️⃣Google API Server returns John’s profile data, and TaskManagerApp logs John in.

9️⃣If the Access Token expires, TaskManagerApp can use a Refresh Token to get a new one.