OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, …

Even with all of this robust authentication capability, OpenID Connect is (by design) still compatible with plain OAuth 2.0, making it a very good choice to deploy on top of an OAuth system with minimal …

OAuth 2.0 Simplified, written by Aaron Parecki, is a guide to OAuth 2.0 focused on writing clients that gives a clear overview of the spec at an introductory level.

The core OAuth 2.0 specification defines the "client password" (e.g. client secret) client authentication type, which defines the client_secret parameter as well as the method of including the client secret in …

An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. Learn more about OAuth 2.0 »

Dec 1, 2025 · OAuth Working Group Specifications Current active drafts in the OAuth working group Active Drafts ... Active Individual Drafts ... RFCs

PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps …

This flow provides no mechanism for things like multifactor authentication or delegated accounts, so is quite limiting in practice. The latest OAuth 2.0 Security Best Current Practice disallows the password …

MTLS is a form of client authentication and an extension of OAuth 2.0 that provides a mechanism of binding access tokens to a client certificate. It is one of many attempts at improving the security of …

Sep 5, 2007 · ‘Why OAuth is not an OpenID extension?’ is probably the most frequently asked question in the group. The answer is simple, OAuth attempts to provide a standard way for developers to offer …