Dallonses logo

OAuth

What is OAuth?

OAuth is a protocol for delegated authorization. It lets one application access a slice of a user's data on another service without ever handling that user's password. Instead of typing your Google password into a third-party app, you are redirected to Google, you approve a specific set of permissions, and the app receives an access token scoped to exactly what you allowed. The password never leaves Google.

The core idea is consent and scope. The user grants limited, revocable access, and can withdraw it later without changing their password. This is the "Sign in with Google" or "Connect your Slack" flow you see everywhere. Worth being precise: OAuth is about authorization, what an app is allowed to do, not authentication, proving who you are. The "log in with" experience is really OpenID Connect, an identity layer built on top of OAuth. A scheduling app that needs to add events to your calendar uses OAuth to get a calendar-scoped token, so it can write events but cannot read your email or touch anything you did not approve.

The current standard is OAuth 2.0, with several flows for different situations, from server-side web apps to mobile apps to machine-to-machine access.

OAuth at Dallonses

Whenever a product needs to connect to Google, Microsoft, Slack, or any service a user already trusts, OAuth is how we do it, because asking users to hand over passwords to a third party is both a security risk and a non-starter for serious integrations. We implement the right flow for the situation, scope tokens tightly to what the feature genuinely needs, and handle token refresh and revocation so the connection survives without becoming a liability.

The details are where OAuth goes wrong, so they get our attention. State parameters to block CSRF, secure token storage, the difference between authorization and identity handled correctly rather than conflated. This sits inside our custom web application development and API-first development work, alongside the rest of the auth stack, because an integration that leaks access is worse than one that was never built.

Connecting your product to the services your users already live in? Let's get the OAuth flow right.

Talk to us about integrations

Related services

Related works

Spring GDS 25th Anniversary

A logistics company that ships to 190 countries built something to ship to itself.

Vizitio

Turning a brand into a working business.

Access Ticket

Half a million people. One app. Zero chaos.

Ready to work together?

Book a meeting
Aymón holding a Tools magazine in front of their facem
Ari working on a laptop outdoors surrounded by plants
Top-down view of a wooden desk with a keyboard, mouse, and headphones
Hand-drawn illustration of a hand snapping fingers
Nico leaning against a water cooler next to a fire extinguishe
Close-up of an open computer with circuit board and components on a wooden desk
Bernat and Andreu collaborating at a desk with monitors and a laptop
Hand-drawn illustration of an open hand waving
Aymón holding a Tools magazine in front of their facem
Ari working on a laptop outdoors surrounded by plants
Top-down view of a wooden desk with a keyboard, mouse, and headphones
Hand-drawn illustration of a hand snapping fingers
Nico leaning against a water cooler next to a fire extinguishe
Close-up of an open computer with circuit board and components on a wooden desk
Bernat and Andreu collaborating at a desk with monitors and a laptop
Hand-drawn illustration of an open hand waving