# OAuth 2.0
Status: public
Confidence: medium (0.865) (verified)
Last verified: 2026-05-30
Generation: ai_structured


## TL;DR

OAuth 2.0 is an authorization framework for delegated, limited access to HTTP services. It is not the same thing as authentication by itself; identity flows usually add OpenID Connect on top. For modern deployments, PKCE and the OAuth 2.0 security best current practice are central to using the framework safely.

## Core Explanation

RFC 6749 separates the resource owner, client, authorization server, and resource server. Instead of handing a password to a third-party client, the resource owner authorizes limited access and the client receives an access token for a defined scope or context.

PKCE, standardized in RFC 7636, adds a proof step to the authorization code flow for public clients. The client sends a code challenge during authorization and later proves possession of the original verifier when redeeming the authorization code.

RFC 9700 updates the security posture for OAuth 2.0 deployments. It documents newer attack classes and lessons learned from broad adoption, making clear that real systems must validate redirect behavior, token audience, client assumptions, and authorization server metadata rather than treating OAuth as a single turnkey login feature.

## Further Reading

- [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.txt)
- [RFC 7636: Proof Key for Code Exchange by OAuth Public Clients](https://www.rfc-editor.org/rfc/rfc7636.txt)
- [RFC 9700: Best Current Practice for OAuth 2.0 Security](https://www.rfc-editor.org/rfc/rfc9700.txt)

## Related Articles

- [OAuth 2.0: Authorization Framework and Security Best Practices](../oauth-2-0-authorization-framework-and-security-best-practices.md)
- [JWT (JSON Web Token)](../jwt.md)