Definition

OAuth

OAuth is an open authorization framework that allows users to grant third-party applications limited access to their accounts on other services, such as Google or GitHub, without sharing their passwords directly with the third-party application.

Understanding OAuth

OAuth powers the "Sign in with Google" and "Sign in with GitHub" buttons seen on countless web applications. Instead of creating a new username and password for every service, users can authenticate through a provider they already trust. The OAuth flow redirects the user to the provider's login page, the user grants permission, and the provider sends an authorization code back to the application.

For vibecoders, OAuth is attractive because it offloads the complexity of password management and account security to established providers. Many AI coding tools can generate OAuth integration code with popular providers. However, the OAuth flow involves multiple redirects, callback URLs, token exchanges, and error states, each of which can go wrong.

Testing OAuth flows requires verifying the complete cycle: initiating the login, completing the provider authentication, handling the callback, and establishing the local session. Testers should also check what happens when the user denies permission, when the callback URL is incorrect, and when the provider returns an error. These failure scenarios are frequently not handled in AI-generated OAuth code.

Example usage

Sign in with Google worked on the first try, but if the user denied permission and then tried again, the app got stuck in an infinite redirect loop.

Related terms

authenticationauthorizationJWTsecurity vulnerability

Learn more

Authentication

Authentication is the process of verifying the identity of a user or system, typically by validating credentials such as a username and password, a token, or a biometric factor, to confirm they are who they claim to be.

Read more

Authorization

Authorization is the process of determining what actions, resources, or data an authenticated user is permitted to access within an application, based on their role, permissions, or other access control rules.

Read more

JWT (JSON Web Token)

A JWT, or JSON Web Token, is a compact, URL-safe token format that encodes identity claims and metadata as a JSON object, signed digitally to ensure integrity, and used to securely transmit authentication and authorization data between a client and a server.

Read more
← Back to Glossary