Definition
An authorization protocol flow that allows a third-party application (e.g., a Python script) to access a user’s data on a service (e.g., Google) without the user sharing their password.
Why It Matters
OAuth is the “Security Guard” of the modern web. It is the only thing standing between a useful app and a total identity theft. By allowing apps to “borrow” access without “stealing” passwords, it enables the entire ecosystem of connected services we use every day. For developers, mastering this model is a mandatory ethical requirement; for users, understanding it is the difference between “safe integration” and a “catastrophic data breach.” It is the implementation of “Least Privilege,” ensuring that even if one app is hacked, your entire digital life isn’t compromised.
Core Concepts
- Credentials: A static file (
json) identifying the application to the service. - Handshake Flow:
- Request: Application redirects the user to the service’s login page.
- Grant: User logs in and explicitly grants permission.
- Token: Service issues a unique string (token) to the application.
- Persistence of Auth: Tokens are typically stored locally (e.g., in
.picklefiles). As long as the token is valid, the program can bypass the browser login for future sessions. - Scope: Permissions are limited (e.g., “Read-only” or “Sheets access only”) to minimize the blast radius of a compromised token.