Security architecture

Letting an app access your data without ever giving it your password.

The idea

Authentication (AuthN) proves who you are. Authorization (AuthZ) proves what you can do. When you "Log in with Google" on a 3rd-party app, you are using OAuth 2.0 (Authorization Code Flow).

You never give the 3rd-party app your Google password. Instead, you log directly into Google, which gives the app a temporary "Authorization Code". The app secretly exchanges this code with Google for an "Access Token", which it uses to fetch your data.

Browser 3rd-Party App Auth Server
Click Start to trace the OAuth Authorization Code flow.

How it works (OAuth 2.0 Auth Code)

# 1. User clicks "Login with Google" on App
# App redirects Browser to Auth Server

# 2. User logs into Auth Server and approves access.
# Auth Server redirects Browser back to App with an ?code=xyz

# 3. BACKCHANNEL (App -> Auth Server directly)
def exchange_code_for_token(code, app_secret):
    # App proves who IT is using its secret, and trades the code
    response = requests.post("auth-server.com/token", data={
        "client_secret": app_secret,
        "code": code
    })
    return response.json()['access_token']
    
# 4. App now has the token and can fetch user data!