🧠 OAuth explained

Knowledge Series #48: What is OAuth and how does authorization work?

🔒The Knowledge Series is a collection of easy to read guides and tutorials for product teams and tech / business professionals, designed to help you fill in any gaps in your tech knowledge and level up your skills at work. Clearly explained in plain English. One topic at a time.

If you’re a free subscriber and you’d like to unlock them you can do so below. Or you can learn more about what you get with paid access here.

---

Hi product people 👋,

The next time you grant permission for Notion to access a Google Sheet so you can embed it or you sign in with your Google account to access your favorite news website, take a look at the URL. Chances are that somewhere you’ll probably see the word “OAuth”.

OAuth is used by product teams to help securely grant access to different products without having to share user credentials. It can be pretty confusing to get your head around the most important bits, but that’s exactly what this Knowledge Series is designed to do.

If you’ve ever sat in a meeting and engineers are talking about OAuth, authorization, access tokens and refresh tokens and wondered to yourself what exactly they’re talking about, this Knowledge Series should help.

Coming up:

1. What is OAuth and who uses it? 

2. How does authorization work? A high level explanation

3. The differences between authorization and authentication

4. An end to end example of OAuth in practice using Google Sheets and Notion 

5. Key terminology relating to OAuth 

---

The Knowledge Series

What is OAuth and who uses it? 

OAuth stands for Open Authorization. It’s an open-standard authorization protocol that allows users to securely give access to resources on their behalf.

Put in slightly simpler terms, it gives users the ability to grant limited access to all kinds of things like their email account, photos, songs, social media and other ‘resources’. We use this every day when we login with Google accounts or decide to embed Figma files in other tools like Slack.

1. Google uses OAuth 2.0 for various APIs and services, including Gmail, Google Drive and YouTube

2. Spotify uses OAuth to allow users to post their playlists on social media

3. Figma uses OAuth to allow users to use plugins that access user specific data

If OAuth didn’t exist, the alternative would be for users to share their login details (username and passwords) with all of the different third party products that they use. And the reasons for not wanting this to be the way we share data are pretty self explanatory (!).

Security is clearly one of the major benefits of using OAuth but there are other benefits, too. 

One is that the protocol is standardised across the industry which means most different platforms and services support it which makes it much easier for developers and product teams to add more value to their products.

OAuth’s token-based access controls also means users have a lot of power over the scope of what they’d like to share.

Imagine if you could only share the ability to read, write and delete emails if you granted access to Drive. If this was the case, you’d probably think  twice about granting a third party access to your Google Account. Thankfully, thanks to OAuth, users have a great deal of control over what exactly they’d like to share with third parties.

You may want to allow one product the ability to write emails but another to read only. OAuth’s access tokens allow you to do this. More on that later.

How does OAuth work? A high level explanation

We’ll take a look at an in-depth end to end example shortly which goes further into each of the steps outlined but for now, here’s a super simple overview of how a basic OAuth set up works:

In this high level overview, we’re introduced to a couple of OAuth related concepts so let’s break these down.

First, when we’re talking about OAuth, the user is known as the resource owner. This is because they are the ones who have ultimate control over the resources that might be shared with the third party. This makes sense since we own the resources we create and have control over who to share them with.

In the context of OAuth, resources might include things like: