Letting an app access your data without ever giving it your password.
Authentication (AuthN) proves who you are. Authorization (AuthZ) proves what you can do. When you "Log in with Google" on a 3rd-party app, you are using OAuth 2.0 (Authorization Code Flow).
You never give the 3rd-party app your Google password. Instead, you log directly into Google, which gives the app a temporary "Authorization Code". The app secretly exchanges this code with Google for an "Access Token", which it uses to fetch your data.
# 1. User clicks "Login with Google" on App
# App redirects Browser to Auth Server
# 2. User logs into Auth Server and approves access.
# Auth Server redirects Browser back to App with an ?code=xyz
# 3. BACKCHANNEL (App -> Auth Server directly)
def exchange_code_for_token(code, app_secret):
# App proves who IT is using its secret, and trades the code
response = requests.post("auth-server.com/token", data={
"client_secret": app_secret,
"code": code
})
return response.json()['access_token']
# 4. App now has the token and can fetch user data!