OAuth & OIDC
Industry standards for delegated authorization (OAuth 2.0) and federated authentication (OpenID Connect), enabling third-party login and secure API access.
seed#oauth#oidc#authentication#authorization#jwt#identity
What it is
- OAuth 2.0: authorization protocol allowing applications to access resources on behalf of a user without knowing their credentials
- OpenID Connect (OIDC): identity layer on top of OAuth 2.0 adding authentication
OAuth 2.0 flows
| Flow | Use |
|---|---|
| Authorization Code | Web apps with backend |
| Authorization Code + PKCE | SPAs, mobile apps |
| Client Credentials | Machine-to-machine |
| Device Code | Devices without browser |
Tokens
| Token | Purpose | Duration | Standard |
|---|---|---|---|
| Access Token | Authorizes resource access | Short (minutes-hours) | OAuth 2.0 |
| Refresh Token | Obtains new access tokens | Long (days-weeks) | OAuth 2.0 |
| ID Token | Contains user information | Short | OIDC (always JWT) |
JWT (JSON Web Token)
Common token format: header.payload.signature. Allows verifying integrity without calling the authentication server.
Providers
- Auth0, Okta (SaaS)
- AWS Cognito, Azure AD B2C (cloud)
- Keycloak (open-source)
Why it matters
OAuth 2.0 and OpenID Connect are the authentication and authorization standards of the modern web. Implementing them correctly protects users and the application. Implementing them poorly creates vulnerabilities that attackers know well.
References
- OAuth 2.0 — Specification.
- OpenID Connect — Specification.
- RFC 6749 — OAuth 2.0 — IETF, 2012. Original OAuth 2.0 specification.