How OAuth 2.0 Actually Works: The Authorization Code Flow Deconstructed
The “Sign in with Google” button seems straightforward. Click it, authenticate, and you’re in. But behind that simple interaction lies one of the most widely deployed authorization protocols in computing history—a protocol that was never actually designed for authentication. OAuth 2.0, published as RFC 6749 in October 2012, emerged from a practical problem: how do you let a third-party application access your data without giving it your password? The solution involved a clever dance of redirects, temporary credentials, and cryptographic proofs that billions of users perform daily without understanding what’s happening. ...