OAuth 2.0: What is it?

What is OAuth 2.0?

OAuth 2.0 is a standardised authorisation protocol (RFC 6749) that allows an application (the "client") to access a user's protected resources hosted by a third-party service (the "resource server"), with the user's explicit consent, without ever exposing their login credentials. In practice, when you click "Sign in with Google" on a website, OAuth 2.0 orchestrates the exchange: Google confirms your identity and grants the site a limited access token, without the site ever knowing your Google password.

OAuth 2.0 clearly distinguishes authentication (who are you?) from authorisation (what can you access?). The protocol focuses on authorisation, while OpenID Connect (OIDC), a layer built on top of OAuth 2.0, adds the authentication dimension. Together, they form the foundation of modern identity management for web and mobile applications.

The protocol defines four roles: the resource owner (the user), the client (the application requesting access), the authorization server (which issues tokens), and the resource server (which hosts protected data). This separation of responsibilities enables a flexible and secure architecture, suited to classic web applications, mobile apps, single-page applications, and machine-to-machine communications alike.

Why OAuth 2.0 matters

OAuth 2.0 has become the universal authorisation standard on the web. Its massive adoption by tech giants and companies of all sizes makes it an essential component of modern application architecture.

• Credential security: users never have to share their password with third-party applications. Only limited-lifetime, restricted-scope tokens are exchanged.
• Single Sign-On (SSO): OAuth 2.0 / OIDC allows users to sign into multiple applications with a single account (Google, Microsoft, corporate), simplifying the experience and strengthening security.
• Granular permission control: OAuth scopes precisely define what the application can access (profile reading, calendar access, email sending), limiting privileges to the strict minimum.
• Revocability: the user can revoke an application's access at any time from the identity provider's settings, without changing their password.
• GDPR compliance: OAuth's explicit consent and permission granularity align with GDPR principles of data minimisation and informed consent.

How it works

OAuth 2.0 defines several flows (grant types) suited to different use cases. The most common is the Authorization Code Flow, used for server-side web applications. The user is redirected to the authorization server (Google, Microsoft) where they authenticate and consent to sharing certain data. The authorization server then redirects the user back to the application with a temporary authorization code. The application exchanges this code for an access token and a refresh token by contacting the authorization server directly (server-to-server), preventing token exposure in the browser.

For single-page applications (React, Vue), the Authorization Code Flow with PKCE (Proof Key for Code Exchange) adds protection against authorization code interception. The client generates a random code_verifier, derives a code_challenge sent with the authorization request, and proves its legitimacy by presenting the code_verifier during the code exchange.

The Client Credentials Flow is used for machine-to-machine (M2M) communications, for example between microservices or IoT devices, where there is no human user. The application authenticates directly with its client_id and client_secret to obtain an access token. Access tokens are typically issued in JWT format, enabling local verification without contacting the authorization server.

Concrete example

At Kern-IT, we integrate OAuth 2.0 into our Django applications to offer modern, secure authentication. In a business platform for a real estate client, we implemented SSO via Microsoft Entra ID (formerly Azure AD) with django-allauth. The client company's users sign in with their existing Microsoft credentials, without creating an additional account. The configured OAuth scopes grant access to profile and email, but not OneDrive files or calendar, in accordance with the principle of least privilege.

For machine-to-machine integrations on our IoT platform, backend services use the Client Credentials Flow to communicate securely with each other. Raspberry Pi devices deployed in the field authenticate with service tokens via an adapted flow, and data flows up to KERN MAP through an OAuth 2.0-protected API with specific scopes (read:sensors, write:alerts).

Implementation

1. Choose the appropriate flow: Authorization Code with PKCE for web apps and SPAs, Client Credentials for M2M, Device Code for IoT devices without a browser.
2. Configure the identity provider: register your application with the authorization server (Google, Microsoft Entra ID, Keycloak) and obtain client_id and client_secret.
3. Integrate django-allauth or django-oauth-toolkit: django-allauth to consume an external provider's OAuth (SSO), django-oauth-toolkit to turn your Django application into an OAuth 2.0 server.
4. Define scopes: limit requested permissions to the strict minimum for your use case, in accordance with GDPR and the principle of least privilege.
5. Secure tokens: store access tokens in memory on the client side and refresh tokens in HttpOnly cookies. Configure short lifetimes for access tokens.
6. Implement complete logout: upon logout, revoke tokens with the authorization server in addition to clearing the local session.

Associated technologies and tools

• django-allauth: comprehensive Django library for social authentication (Google, Facebook, Microsoft, GitHub) via OAuth 2.0 / OIDC.
• django-oauth-toolkit: full OAuth 2.0 / OIDC server implementation for Django, RFC 6749 compliant.
• Keycloak: open-source identity server (Red Hat) supporting OAuth 2.0, OIDC, SAML, and fine-grained role and permission management.
• Microsoft Entra ID: Microsoft's cloud identity service, widely used by Belgian and European companies for SSO.
• OpenID Connect (OIDC): authentication layer built on OAuth 2.0, adding the ID token and discovery endpoints.
• JWT: standard token format used by OAuth 2.0 for access tokens, enabling stateless verification.

Conclusion

OAuth 2.0 is the pillar of authorisation and authentication on the modern web. Whether implementing SSO with Google or Microsoft, securing communications between microservices, or protecting access to IoT APIs, OAuth 2.0 provides a standardised, flexible, and secure framework. At Kern-IT, we integrate OAuth 2.0 into our Django applications via django-allauth and django-oauth-toolkit, offering our Belgian clients a modern authentication experience while ensuring GDPR compliance and security best practices.