OAuth for API Authentication – Some Security Checks

  1. Limit SCOPE of OAuth token to READONLY

  2. Limit The duration – expiration of the Token to a short lived token

  3. Restrict the IP Addresses that can be used to call the API

1. OAuth Roles

  • Resource Owner: The user or system that owns the resource (e.g., a user account).
  • Client: The application requesting access on behalf of the resource owner (e.g., a web or mobile app).
  • Authorization Server: The server that authenticates the resource owner and issues access tokens (e.g., Google OAuth server).
  • Resource Server: The API that the client wants to access (e.g., a REST API).

2. OAuth Flows

OAuth supports multiple “flows” or authorization workflows depending on the application type. The most common ones include:

  • Authorization Code Flow (for web applications):
    1. The user is redirected to the authorization server by the client.
    2. The user grants access and is redirected back with an authorization code.
    3. The client exchanges the authorization code for an access token.
  • Client Credentials Flow (for server-to-server applications):
    1. The client authenticates directly with the authorization server using its credentials.
    2. The client receives an access token directly without involving a user.
  • Implicit Flow (for browser-based or mobile apps, now largely discouraged due to security concerns):The access token is issued directly without an intermediate authorization code exchange.
  • Password Grant Flow (for trusted applications where the user provides credentials):The client submits the user’s username and password to the authorization server, and an access token is returned.

3. Access Tokens

Once the client obtains an access token (a string representing the authorization), it can be included in API requests (typically as a Bearer token in the Authorization header).


GET /user/profile
Host: api.example.com
Authorization: Bearer <access_token>

4. Refresh Tokens

Refresh tokens allow the client to request a new access token after the previous one expires without requiring the user to re-authenticate.

5. Scope and Permissions

OAuth uses scopes to define the level of access that the client is granted. For example, a client might request read-only access to a user’s profile but not write permissions.


GET /user/profile?scope=read

Security Benefits of OAuth

  • Decoupling credentials: Users’ passwords are not shared with third-party apps.
  • Granular access control: Clients can be limited to specific scopes or resources.
  • Token expiration: Limits the risk if a token is compromised.