Refined Permission Control

  • We don’t need to provide password of the account to Client which grants them full control & high risk associated with sharing password
  • We can give Client permissions to access only username and account’s contacts, nothing else

Smaller Attack Surface

  • Access Token can be attached with a TTL to expire automatically without manual intervention & creating negative impact on UX

Resource Owner

Owner of the identity, live user themselves

Microsoft Entra ID

  • You can read up on the breakdown of each components here
  • You can manage the apps you consented here

Google Account

  • You can manage the apps you consented here

Github Account

  • You can manage the apps you consented here


Third-party application that wants to find out more about the Resource Owner and carry out actions on the behalf of him/her


  • The refined permissions Client wants
  • Specifies permissions to access the types of data & types of actions on Resource Server etc

Client ID

Client Secret

Access Token

Authorization Server

  • The application that hosts the account of the Resource Owner
  • Single source for identity

Redirect URI

Response Type

Authorization Code

Resource Server