Add my own explanation

The reference below is solid. Next step: re-explain OAuth in my own words up here (Feynman-style), then keep the reference underneath as backup.

Reference explanation

OAuth is an open standard for delegated authorization — it lets a user grant one application limited access to their account on another service, without sharing their password.

Flow (simplified):

  1. App A wants to access user data on Service B (e.g., a calendar app wants Google Calendar access).
  2. Service B shows a consent screen: “App A wants to read your calendar. Allow?”
  3. User approves → Service B issues App A a token scoped to just what was approved.
  4. App A uses that token on future API calls. It never sees the user’s password, and the token can be revoked at any time without changing the password.

Key ideas:

  • Scopes — tokens are limited (e.g., “read repos” but not “delete repos”).
  • Revocable — kill the token, app loses access; the password is untouched.
  • No password sharing — apps never handle user credentials directly.
  • Delegation — the user delegates a subset of their authority to the app, time- and scope-bound.

Why it matters:

  • Replaces the bad old pattern where apps asked users to hand over their actual username/password (“password anti-pattern”).
  • Works cleanly with 2FA, since the token-issuance step happens in the authenticating service’s UI.
  • Underpins “Sign in with Google/GitHub/Apple” flows (though strictly those use OpenID Connect, which is an identity layer on top of OAuth 2.0).

Open questions

  • Difference between OAuth 2.0 authorization code flow vs. implicit flow vs. PKCE?
  • How does OpenID Connect (OIDC) sit on top of OAuth?
  • What’s a refresh token and how does it differ from an access token?