OAuth and OpenID Connect

What is OAuth 2.0?

OAuth 2.0 is an open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. It’s used from large-scale providers like Facebook and Google to small companies and startups.

  • A client application can request an access token to gain access to an API.
  • OAuth 2.0 defines how a client application can securily achieve authorization.
  • The standard defines how to use these endpoints for different types of client applications.
  • IdentityServer, Azure AD and other frameworks implement the OAuth2 standard.

What is OpenID Connect?

OpenID Connect is a simple identity layer on top of the OAuth2 protocol.

  • A client application can request an identity token (next to an access token).
  • That identity token is used to sign in to the client application.
  • Defines an additional endpoint that allows a client application to get additional information on the user.
  • OpenID Connect is the superior protocol: it extends and supersedes OAuth2.
  • Even if the client application only requires authorization to access an API, we should use OIDC instead of plain OAuth2.

Protocol Flows

While this can be incredibly frustrating, it’s no accident that OAuth is actually made up of many different RFCs, building upon each other and adding features in different ways.

The OAuth core spec (RFC 6749)

Define four grant types:

  • Authorization Code
  • Implicit
  • Password
  • Client Credentials

PKCE (RFC 7636) and “OAuth 2.0 for Native Apps” (RFC 8252)

It became apparent that a better solution was needed for mobile apps, so PKCE (RFC 7636) was created to provide a way to use the Authorization Code flow without a client secret.

Device Grant (RFC 8628)

A new class of device arose along with a need to use OAuth with them: devices that have no browser or lack a keyboard, such as an Apple TV or YouTube streaming video encoder.

Current State

It all started with a core OAuth RFC, than things were added and removed, and turned it into an entirely different set of recommendations.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store