Q29: What is OAuth 2.0, and How Does the Framework Operate?
What is OAuth 2.0, and How Does the Framework Operate?
Key Takeaways & Architecture Summary
- ✓Acts as a delegation framework, allowing apps to access resources without sharing passwords.
- ✓Relies on specific roles: Resource Owner, Client, Authorization Server, Resource Server.
- ✓Generates short-lived Access Tokens and long-lived Refresh Tokens.
Direct Answer Summary
OAuth 2.0 is an industry-standard authorization framework that enables third-party applications to obtain limited access to user resources without acquiring their login credentials. It operates by delegating user authentication to an Authorization Server, which issues a short-lived, scoped access token to the client application for access checks.
⚠️ Senior Engineering Warning (Red Flag)
Never treat OAuth 2.0 as an authentication protocol. OAuth 2.0 is strictly an authorization delegation framework. For authentication, OIDC (OpenID Connect) must be layered on top.
💡 STAR Architectural Explanation & Pro Tip
OAuth 2.0 supports multiple authorization flows (grant types) optimized for different application environments, such as Authorization Code (for secure server backends) and Client Credentials (for machine-to-machine integrations).
// RestAssured: Exchange Refresh Token for active Access Token
Response authResponse = RestAssured.given()
.formParam("grant_type", "refresh_token")
.formParam("refresh_token", "long-lived-token-value")
.auth().basic("client-id", "client-secret")
.post("https://auth.careerraah.com/oauth/token");
String accessToken = authResponse.jsonPath().getString("access_token");