Home > Glossary > CompTIA Security+ Certification Exam > OAuth 2.0

📖 What is OAuth 2.0?

OAuth 2.0 is an open-standard authorization framework that allows third-party applications to obtain limited access to a user's account on an HTTP service. It uses access tokens instead of sharing user credentials directly with the application to maintain security.

🥋 Sensei Says:

"Do not confuse OAuth (Authorization) with SAML or OpenID Connect (Authentication). OAuth is about "what you can do," not "who you are.""

📚 Certification: CompTIA Security+ Certification Exam (SY0-701)

🔑 What are the Key Concepts of OAuth 2.0?

▸ Access Tokens: Short-lived strings that grant access to specific resources, ensuring the user's primary credentials are never shared with the third-party application.
▸ Scopes: These define the specific permissions requested by the application, allowing the user to grant limited access based on the principle of least privilege.
▸ Roles: The framework involves the Resource Owner, Client, Authorization Server, and Resource Server, each with a distinct role in the token exchange process.
▸ Refresh Tokens: Long-lived tokens used to request new access tokens after they expire, reducing the frequency of user prompts for authorization.
▸ Delegated Access: The core purpose of OAuth 2.0 is to allow a third-party application to act on behalf of a user securely.

🎯 How does OAuth 2.0 appear on the SY0-701 Exam?

You may be asked to identify the best protocol for a scenario where a mobile app needs to access a user's photos from a cloud service without receiving the user's password.

A scenario might describe a user granting a 'read-only' permission to a third-party tool; expect to identify this as the use of 'scopes' within the OAuth 2.0 framework.

Expect questions that require you to distinguish between authorization and authentication, specifically asking which protocol allows a third-party service to access specific data on a user's behalf.

❓ Frequently Asked Questions

How does OAuth 2.0 differ from OpenID Connect (OIDC)?

OAuth 2.0 is strictly for authorization, focusing on what a user is allowed to do. OIDC is an identity layer built on top of OAuth 2.0 that provides authentication, verifying who the user is.

What happens when an access token expires?

The application uses a refresh token to request a new access token from the authorization server. This allows the app to maintain access without forcing the user to log in again.

Related Terms from CompTIA Security+ Certification Exam

Salting Security Assessment Business Continuity Plan (BCP) Mandatory Access Control (MAC) OpenID Connect (OIDC) Cross-Site Request Forgery (CSRF)

📝 Related Study Guides

Study Guide 9 min read

How to Pass CompTIA Security+ (SY0-701) on Your First Try

To pass CompTIA Security+ SY0-701 on your first try, build a structured 6-8 week study plan covering all five domains, prioritize understanding concepts over memorization, practice with scenario-based questions daily, and consistently score 85% or higher on practice exams before scheduling your test. Hands-on lab experience is essential for performance-based questions.

Deep Dive 8 min read

Zero Trust Architecture: Security+ (SY0-701) Deep Dive

Zero Trust architecture is a security framework based on the principle "never trust, always verify." Unlike traditional perimeter security, it assumes breaches are inevitable and requires strict identity verification for every person and device attempting to access resources, regardless of whether they are inside or outside the network perimeter.

Exam Tips 8 min read

Security+ PBQs: Master Firewall ACLs & Incident Response

Security+ Performance-Based Questions (PBQs) are scenario-driven simulations requiring you to apply knowledge to real-world tasks. To master them, focus on firewall ACL rule ordering, the "implicit deny" principle, and analyzing system logs for incident response. Consistent practice with high-fidelity simulations is the most effective way to ensure exam success.