Stack Overflow
Stack Overflow

Questions tagged [oauth-2.0]

OAuth (Open Authorization) is an open protocol framework to allow secure API authorization in a simple and standardized way for desktop, mobile and web applications. OAuth 2.0 is the second version of the OAuth protocol.

OAuth (Open Authorization) is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.

OAuth 2.0 is the second version of the OAuth protocol.

Popular services that support OAuth 2

References

Official Logo:

oauth 2 logo

19611 questions
630
votes
10 answers

How is OAuth 2 different from OAuth 1?

In very simple terms, can someone explain the difference between OAuth 2 and OAuth 1? Is OAuth 1 obsolete now? Should we be implementing OAuth 2? I don't see many implementations of OAuth 2; most are still using OAuth 1, which makes me doubt OAuth 2…
sullivan
  • 6,353
  • 3
  • 13
  • 8
572
votes
8 answers

How does OAuth 2 protect against things like replay attacks using the Security Token?

As I understand it, the following chain of events occurs in OAuth 2 in order for Site-A to access User's information from Site-B. Site-A registers on Site-B, and obtains a Secret and an ID. When User tells Site-A to access Site-B, User is sent to…
William Jones
  • 17,349
  • 16
  • 57
  • 97
445
votes
8 answers

What are the main differences between JWT and OAuth authentication?

I have a new SPA with a stateless authentication model using JWT. I am often asked to refer OAuth for authentication flows like asking me to send 'Bearer tokens' for every request instead of a simple token header but I do think that OAuth is a lot…
Venkatesh Laguduva
  • 10,979
  • 5
  • 26
  • 34
438
votes
40 answers

Google OAuth 2 authorization - Error: redirect_uri_mismatch

On the website https://code.google.com/apis/console I have registered my application, set up generated Client ID: and Client Secret to my app and tried to log in with Google. Unfortunately, I got the error message: Error: redirect_uri_mismatch The…
user984621
  • 41,002
  • 66
  • 200
  • 371
300
votes
7 answers

Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?

With the "Implicit" flow the client (likely a browser) will get a access token, after the Resource Owner (i.e. the user) gave access. With the "Authorization Code" flow however, the client (usually a web server) does only get an authorization code…
Aron Woost
  • 15,276
  • 12
  • 39
  • 49
270
votes
3 answers

OAuth 2.0: Benefits and use cases — why?

Could anyone explain what's good about OAuth2 and why we should implement it? I ask because I'm a bit confused about it — here's my current thoughts: OAuth1 (more precisely HMAC) requests seem logical, easy to understand, easy to develop and really,…
tonyhb
  • 3,476
  • 3
  • 18
  • 16
266
votes
12 answers

What is the purpose of the implicit grant authorization type in OAuth 2?

I don't know if I just have some kind of blind spot or what, but I've read the OAuth 2 spec many times over and perused the mailing list archives, and I have yet to find a good explanation of why the Implicit Grant flow for obtaining access tokens…
Dan Taflin
  • 2,663
  • 3
  • 12
  • 5
211
votes
4 answers

Why do access tokens expire?

I am just getting started working with Google API and OAuth2. When the client authorizes my app I am given a "refresh token" and a short lived "access token". Now every time the access token expires, I can POST my refresh token to Google and they…
levi
  • 18,814
  • 17
  • 55
  • 68
187
votes
3 answers

JWT refresh token flow

I'm building a mobile app and am using JWT for authentication. It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want. What does a refresh token look…
jtmarmon
  • 4,381
  • 4
  • 24
  • 42
187
votes
4 answers

What's a redirect URI? how does it apply to iOS app for OAuth2.0?

Beginner programmer here, please pardon ignorance & explanations will be really nice :) I've tried to read the tutorials for a certain OAuth 2.0 service, but I don't understand this redirect URI... in my particular context, let's say I'm trying to…
David T.
  • 18,561
  • 18
  • 61
  • 115
177
votes
8 answers

What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?

OAuth 2.0 has multiple workflows. I have a few questions regarding the two. Authorization code flow - User logs in from client app, authorization server returns an authorization code to the app. The app then exchanges the authorization code for…
divyanshm
  • 6,072
  • 7
  • 37
  • 69
175
votes
9 answers

Refreshing OAuth token using Retrofit without modifying all calls

We are using Retrofit in our Android app, to communicate with an OAuth2 secured server. Everything works great, we use the RequestInterceptor to include the access token with each call. However there will be times, when the access token will expire,…
Daniel Zolnai
  • 14,536
  • 7
  • 52
  • 64
164
votes
4 answers

Using an authorization header with Fetch in React Native

I'm trying to use fetch in React Native to grab information from the Product Hunt API. I've obtained the proper Access Token and have saved it to State, but don't seem to be able to pass it along within the Authorization header for a GET…
Richard Kho
  • 4,306
  • 3
  • 18
  • 34
164
votes
6 answers

How to validate an OAuth 2.0 access token for a resource server?

When a client asks a resource server to get a protected resource with an OAuth 2.0 access token, how does this server validate the token? The OAuth 2.0 refresh token protocol?
Ack
  • 1,833
  • 3
  • 14
  • 17
159
votes
4 answers

Google access token expiration time

When I obtain an access_token from the Google API, it comes with an expires_in value. According to the documentation, this value indicates "The remaining lifetime of the access token". What are the units of this value?
Frank LaRosa
  • 3,233
  • 5
  • 21
  • 31
1
2 3
99 100