OAuth & OIDC
Industry standards for delegated authorization (OAuth 2.0) and federated authentication (OpenID Connect), enabling third-party login and secure API access.
What it is
- OAuth 2.0: authorization protocol allowing applications to access resources on behalf of a user without knowing their credentials
- OpenID Connect (OIDC): identity layer on top of OAuth 2.0 adding authentication
OAuth 2.0 flows
| Flow | Use |
|---|---|
| Authorization Code | Web apps with backend |
| Authorization Code + PKCE | SPAs, mobile apps |
| Client Credentials | Machine-to-machine |
| Device Code | Devices without browser |
Tokens
| Token | Purpose | Duration | Standard |
|---|---|---|---|
| Access Token | Authorizes resource access | Short (minutes-hours) | OAuth 2.0 |
| Refresh Token | Obtains new access tokens | Long (days-weeks) | OAuth 2.0 |
| ID Token | Contains user information | Short | OIDC (always JWT) |
JWT (JSON Web Token)
Common token format: header.payload.signature. Allows verifying integrity without calling the authentication server.
Providers
- Auth0, Okta (SaaS)
- AWS Cognito, Azure AD B2C (cloud)
- Keycloak (open-source)
Why it matters
OAuth 2.0 and OpenID Connect are the authentication and authorization standards of the modern web. Implementing them correctly protects users and the application. Implementing them poorly creates vulnerabilities that attackers know well.
References
- OAuth 2.0 — Specification.
- OpenID Connect — Specification.
- RFC 6749 — OAuth 2.0 — IETF, 2012. Original OAuth 2.0 specification.
Related content
- API Design
Principles and practices for designing clear, consistent, and evolvable programming interfaces that facilitate integration between systems.
- AWS IAM
AWS identity and access management service controlling who can do what in your account, with granular policies based on the principle of least privilege.
- Zero Trust
Security architecture that rigorously verifies every request regardless of origin, eliminating implicit trust in internal networks.
- API Gateway Pattern
Pattern providing a single entry point for multiple microservices, handling routing, authentication, rate limiting, and response aggregation.