® 
OAuth 2.0
Definition
OAuth 2.0 is an open authorization standard that allows applications to gain limited access to user accounts on other services. It is the basis for 'Sign in with Google' and API authorization.
OAuth 2.0 is an open authorisation standard allowing applications to gain limited access to user accounts on other services without sharing passwords. It is the basis for Sign in with Google, API authorisation and delegating access rights between applications.
How does OAuth 2.0 work?
OAuth 2.0 enables delegated authorisation through a four-step flow: the client requests user consent for specific scopes, the user grants permission at the authorisation server, the server issues an authorisation code, and the client exchanges it for an access token. The access token grants scoped access to the protected resource.
OAuth 2.0 and OpenID Connect
OAuth 2.0 is an authorisation protocol (what an app may do). OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0 (who the user is). Together they form the basis for modern SSO.
Security risks
OAuth misconfigurations are a common attack vector. OWASP API Security Top 10 names Broken Object Level Authorization as the top API risk. Risks include: overly broad scopes, token theft via XSS or open redirects, insufficient redirect URI validation, and missing token expiration.
Impact on organisations
Virtually every modern web application and API uses OAuth 2.0. Incorrect implementation can lead to unauthorised access. The CRA sets requirements for authentication mechanism security.
Protection
Use proven OAuth libraries rather than custom implementations. Limit scopes to the minimum needed. Strictly validate redirect URIs. Implement token expiration and rotation. Use PKCE for public clients.
How DEFION helps
DEFION tests OAuth implementations as part of Web Application Pentests and API Security Assessments.