OAuth 2.0

OAuth 2.0 is an authorization framework, not an authentication protocol. It's the industry standard for delegated authorization. It allows a third-party application (the 'client') to obtain limited access to a user's account on an HTTP service (the 'resource server'), such as Google, GitHub, or Facebook, without exposing the user's credentials to the third-party application. The flow, known as the 'Authorization Code Grant', generally works like this: 1. Your application (the client) wants to access some of the user's data on Google (the resource server). It redirects the user to Google's login page, along with your application's client ID and the specific permissions ('scopes') it's requesting (e.g., 'read user profile'). 2. The user logs into their Google account (if they aren't already) and is presented with a consent screen asking if they want to grant your application the requested permissions. 3. If the user approves, Google's authorization server redirects the user back to your application with a temporary, one-time-use 'authorization code'. 4. Your application's backend server takes this authorization code and sends it back to Google's server, along with your application's client secret. 5. If the code and secret are valid, Google's server sends back an 'access token' to your application. 6. Your application can now use this access token to make API requests to Google on behalf of the user to access the data they consented to share. Libraries like Passport.js in the Node.js ecosystem make implementing this complex flow much simpler.