OAuth

OAuth 2.0 is an authorization framework that enables third-party applications to obtain limited access to user accounts without exposing passwords. It works by issuing access tokens after the user grants permission, allowing apps to act on the user's behalf for specific scopes. OAuth is widely used for "Sign in with Google/GitHub" flows and API authorization. Common misconfigurations include open redirect vulnerabilities in the callback URL and insufficient state parameter validation (leading to CSRF).

Why it matters for your website

• 1Directly impacts resistance to account takeover and credential theft
• 2Required for SOC 2, HIPAA, and PCI-DSS compliance
• 3Misconfiguration can expose all user accounts to attack