- API access without an username and password
- Users and services can control clients
- OAuth 2 authentication requires HTTPS
- Several grant types that impact flows
- Authorization code grant is most common
- Implicit is common in web apps and mobile apps
- Client credentials grant is useful in system-to-system comms
(source: https://www.youtube.com/watch?v=H6MxsFMAoP8&t=07m29s)
- Access token - the secret and often short-lived-token that identifies a user
- Refresh token - longer-lived token used to renew access token when it expires
- Scopes provide for right associated with the access token
- Define the access a service can use
- Google example: scope says that some application can read contacts and emails but it CAN NOT read google docs