OAuth and OpenID Connect

What is OAuth 2.0?

  • A client application can request an access token to gain access to an API.
  • OAuth 2.0 defines how a client application can securily achieve authorization.
  • The standard defines how to use these endpoints for different types of client applications.
  • IdentityServer, Azure AD and other frameworks implement the OAuth2 standard.

What is OpenID Connect?

  • A client application can request an identity token (next to an access token).
  • That identity token is used to sign in to the client application.
  • Defines an additional endpoint that allows a client application to get additional information on the user.
  • OpenID Connect is the superior protocol: it extends and supersedes OAuth2.
  • Even if the client application only requires authorization to access an API, we should use OIDC instead of plain OAuth2.

Protocol Flows

The OAuth core spec (RFC 6749)

  • Authorization Code
  • Implicit
  • Password
  • Client Credentials

PKCE (RFC 7636) and “OAuth 2.0 for Native Apps” (RFC 8252)

Device Grant (RFC 8628)

Current State




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why Should My Startup Care About Security?

Coexistence of Convenience and Security

{UPDATE} All American * Video Poker Hack Free Resources Generator

{UPDATE} Tricky Fidget Spinner - Tappy Challenge Hack Free Resources Generator

PrivacySwap defi class is back.The

{UPDATE} Decision Roulette Game- free roulette for lottery Hack Free Resources Generator

Open Letter to EU Lawmakers Against Fingerprints in ID Cards

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ademar Gonçalves

Ademar Gonçalves

More from Medium

Configuration Based Components

Microservice Pattern — API Gateway Pagination

Versioning in REST APIs

Fundamentals of OpenIdConnect(OIDC)