OAuth 2.0 Authorization Framework
The foundation of modern app auth: third-party login, API authorization, SSO, and machine-to-machine access all use OAuth 2.0.
What It Defines
Defines the OAuth 2.0 framework for delegated authorization. Core flows: Authorization Code, Client Credentials, Device Authorization. Defines access tokens, refresh tokens, scopes, and redirect-based consent flows.
Canonical (Normative)
Convenient (Practical)
Related References
The canonical publication point for finalized RFCs. If a protocol is standardized as an RFC, the RFC Editor text is the normative final reference. Published by the IETF, IRTF, IAB, and independent stream.
Related Specs
Every API that accepts an OAuth access token uses bearer token transport. Know the header format and the security implications of each transport method.
Required for all public clients (SPAs, mobile apps, desktop apps). If you're building a non-confidential OAuth client, PKCE is mandatory per current best practice.
Sign-in with Google/Apple/GitHub all use OIDC. If your app authenticates users via a third party, you're using OIDC whether you know it or not.
JWTs are the token format for OIDC ID tokens and many OAuth implementations. Understanding the structure and security tradeoffs is essential.