What is OAuth?

What is OAuth?

Building a login system from scratch means handling passwords, hashing, password resets, and security vulnerabilities. OAuth lets you skip all of that by delegating authentication to a trusted provider like Google, GitHub, or Facebook.

The Problem

Your app needs to know who the user is, but:

• Storing passwords is risky — data breaches expose them
• Users have too many passwords already
• You need to handle password resets, hashing, and brute-force protection
• Users are more likely to sign up if they can use an existing account

The Solution: OAuth

OAuth stands for Open Authorization. It lets users log in to your app using their existing account on another service (called a provider). Your app never sees or stores the user's password.

How It Works (Simplified)

1. User clicks "Login with Google" on your app
2. Your app redirects the user to Google's login page
3. User logs in on Google (your app never sees the password)
4. Google asks: "Allow this app to access your profile?"
5. User clicks "Allow"
6. Google redirects back to your app with a special code
7. Your app exchanges the code for user profile data
8. User is logged in — you have their name, email, and photo

Key Terms

Term	Meaning
Resource Owner	The user who owns the account
Client	Your application requesting access
Authorization Server	Google/GitHub — handles login and consent
Resource Server	The API that provides user data
Access Token	A token your app uses to access the user's data

What We Will Build

In this series, you will build a Node.js application with:

• Google OAuth login using Passport.js
• MongoDB user storage
• Cookie-based sessions
• Protected profile page with user thumbnail

Key Takeaways

• OAuth delegates authentication to trusted providers — your app never handles passwords
• Users authenticate with the provider, which then gives your app a token
• Your app uses the token to get user profile information
• Passport.js is a Node.js middleware that simplifies OAuth implementation