# What is OAuth2?

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for applications.

## OAuth Roles <a href="#oauth-roles" id="oauth-roles"></a>

OAuth defines four roles:

* **Resource Owner**: The resource owner is the *user* who authorizes an *application* to access their account. The application’s access to the user’s account is limited to the scope of the authorization granted (e.g. read or write access)
* **Client**: The client is the *application* that wants to access the *user*’s account. Before it may do so, it must be authorized by the user, and the authorization must be validated by the API.
* **Resource Server**: The resource server hosts the protected user accounts.
* **Authorization Server**: The authorization server verifies the identity of the *user* then issues access tokens to the *application*.

## Implementation at Matrica

We have implemented some OAuth 2.1 specifications (see this [link](https://oauth.net/2.1/)) to have a more secured flow:

* PKCE is required for all OAuth clients using the authorization code flow
* Redirect URIs must be compared using exact string matching
* The Implicit grant (`response_type=token`) is omitted from this specification
* The Resource Owner Password Credentials grant is omitted from this specification
* Bearer token usage omits the use of bearer tokens in the query string of URIs

We will implement the newest standard once it comes out of draft.