連携

OAuth

連携

4分で読了

OAuthとは？

OAuth is an open authorization standard that lets users grant third-party applications limited access to their accounts without sharing passwords. It is the protocol behind every 'Sign in with Google' button and most API authorization flows.

What is OAuth?

OAuth (Open Authorization) is an industry-standard protocol that enables secure, delegated access to user resources. Instead of handing your username and password to a third-party application, OAuth lets you grant that application a scoped, revocable access token — giving it permission to perform specific actions on your behalf without ever seeing your credentials.

The current version, OAuth 2.0, is used by virtually every major platform including Google, Microsoft, GitHub, Slack, Salesforce, and thousands more.

How OAuth 2.0 Works

The most common OAuth flow (Authorization Code Grant) involves four parties:

Resource Owner (the user): The person who owns the data and grants access.

Client (the application): The third-party app requesting access.

Authorization Server: The service that authenticates the user and issues tokens (e.g., Google's auth server).

Resource Server: The API that holds the user's data (e.g., Google Calendar API).

The flow proceeds as follows:

The client redirects the user to the authorization server with a request specifying the desired scopes (e.g., "read calendar events").

The user logs in and approves the requested permissions.

The authorization server redirects back to the client with a short-lived authorization code.

The client exchanges the code (plus a client secret) for an access token and a refresh token.

The client uses the access token to call the resource server's API on the user's behalf.

When the access token expires, the client uses the refresh token to obtain a new one without requiring user interaction.

OAuth Grant Types

Authorization Code: The standard flow for server-side apps. Most secure because tokens never touch the browser.

Authorization Code + PKCE: Enhanced version for mobile and single-page apps that cannot securely store a client secret.

Client Credentials: Machine-to-machine authentication where no user is involved (e.g., a backend service accessing its own API).

Device Code: For devices with limited input (smart TVs, CLI tools) — user authorizes on a separate device.

Scopes and Permissions

OAuth scopes define exactly what a token can do. A token with the scope read:email can read the user's email but cannot send messages or access contacts. This principle of least privilege is a core security feature — users and administrators can see exactly what they are granting, and applications only get the access they need.

Common Pitfalls

Token storage: Access tokens must be stored securely. Leaking a token is equivalent to leaking a password for the granted scopes.

Refresh token rotation: Some providers rotate refresh tokens on each use. Failing to store the new refresh token locks you out.

Scope creep: Requesting too many scopes erodes user trust and increases the blast radius of a token compromise.

Redirect URI validation: Misconfigured redirect URIs can enable token theft via open redirect attacks.

なぜ重要か

OAuth is the security backbone of modern integrations. Without it, connecting third-party services would require sharing raw credentials — a massive security risk. OAuth gives users control over what data they share, lets them revoke access at any time, and enables automation platforms to connect to hundreds of services securely.

Autonolyのソリューション

Autonoly handles the full OAuth 2.0 flow for you. Connect your Google, Slack, Microsoft, or other accounts with a single click — Autonoly manages token exchange, secure storage, automatic refresh, and scope management behind the scenes. Your credentials are never exposed to workflow logic.

詳しく見る

例

Connecting your Google Sheets account to an Autonoly workflow so it can read and write spreadsheet data on your behalf
Authorizing a Slack integration so your automation can post messages to specific channels
Granting an analytics dashboard read-only access to your CRM data without sharing your login

よくある質問

What is the difference between OAuth and API keys?

API keys are simple static credentials that identify the calling application but do not represent a specific user or have scoped permissions. OAuth tokens represent a specific user's delegated authorization with defined scopes and expiration. OAuth is more secure for user-facing integrations; API keys are simpler for server-to-server access.

Is OAuth 2.0 the same as OpenID Connect (OIDC)?

No. OAuth 2.0 is an authorization protocol (granting access to resources). OpenID Connect is an authentication layer built on top of OAuth 2.0 (verifying identity). When you see 'Sign in with Google,' that is OIDC using OAuth under the hood.

What happens when an OAuth access token expires?

The client uses the refresh token to request a new access token from the authorization server without requiring the user to log in again. If the refresh token is also expired or revoked, the user must re-authorize the application.

← No-Code Automation OCR (Optical Character Recognition) →

自動化について読むのはここまで。

自動化を始めましょう。

必要なことを日本語で説明するだけ。AutonolyのAIエージェントが自動化を構築・実行します。コード不要。

機能を見る