Understanding OAuth 2.0 Flow: Complete Diagram and Implementation Guide

What Is OAuth 2.0? OAuth 2.0 is the industry-standard authorization framework that enables third-party applications to obtain limited access to a user's resources without exposing their credentials. Instead of sharing passwords, OAuth 2.0 uses access tokens —short-lived, scoped strings that grant specific permissions to specific resources. If you've ever clicked "Sign in with Google" or authorized a GitHub app to access your repositories, you've used OAuth 2.0. The protocol was formalized in RFC 6749 and has become the backbone of modern API authorization across the web. OAuth 2.0 is not an authentication protocol by itself—it is an authorization framework. Authentication (proving who you are) is handled by extensions like OpenID Connect (OIDC), which layers identity on top of OAuth 2.0. Understanding this distinction is critical to building secure systems. Key Terminology Before diving into the flows, let's define the four roles that appear in every OAuth 2.0 interaction: Resource Own