OAuth 2.0
What is OAuth 2.0
OAuth 2.0 (Open Authorization) is an industry-standard authorization protocol. It defines a mechanism for third-party applications to securely access user resources without obtaining the user's password.
Core Idea
When a third-party application wants to access a user's data in a system:
- The user explicitly authorizes the third-party application to access specific resources
- The system issues a short-term access token (Access Token)
- The third-party application uses the token instead of a password to access resources
- The token can be revoked by the user at any time without changing the password

Why OAuth 2.0 is Needed
Before OAuth, third-party applications usually required users to provide account passwords to access their data:
| Method | Risk |
|---|---|
| Sharing password | Third parties can abuse permissions; users cannot control granularly |
| Cannot revoke | Even if no longer using an app, you can only change the password |
| Cannot trace | You cannot know which applications are accessing your data |
Advantages of OAuth 2.0
- Secure: client does not touch user password, reducing leakage risk
- Controllable: users can authorize specific permissions and revoke at any time
- Traceable: server can centrally maintain audit logs
- Flexible: supports different trust levels, adapts to multiple scenarios
OAuth 2.0 and Identity Authentication
Important distinction: OAuth 2.0 is an authorization protocol, not an identity authentication protocol. It solves "what you can do", not "who you are".
If you need to complete identity authentication at the same time, use OIDC (OpenID Connect) built on OAuth 2.0.
Typical Application Scenarios
| Scenario | Description |
|---|---|
| Third-party login | Use WeChat/Alipay account to log in to other applications |
| API authorization | Authorize third-party applications to access user cloud disk, calendar, and other data |
| Delegated access | User authorizes an agent service to perform operations on their behalf |