In a typical scenario of a web application, a user navigates to the website, specifies the username and password, which is then verified by the website by comparing the username and password stored in a database. Once the user is authenticated, a cookie is stored in the browser, which can be used for subsequent requests to access protected resources.

In the modern application scenario, applications consist of several services (Web APIs) and the number of consumers also varies. Moreover, many applications don't have their own authentication provider and they use an external authentication provider such as Google, Facebook, and Microsoft to authenticate users. In this case the typical identity scenario would not work.

OAuth is an open authorization standard that provides a key known as a token to access particular resources on websites. Tokens can be achieved by sharing a secret, which could be a user password or an application ID, and the user can use that token to gain access to resources (Web APIs) without revealing their secrets.

To elaborate, let's take an example of a hotel where a person needs a key to access a particular room. That key is actually an access token in the OAuth world and it can be used to access limited areas such as fitness clubs, rooms, and pool areas, whereas the other sensitive areas are still not accessible:

OAuth provides an access token that can be used to access the protected resources (Web APIs) of any application.