The Complete Guide to OAuth 2.0 and OpenID Connect Protocols
Find out how the most widely-used protocols for authentication and authorization really work
We’ve all seen the “sign in with Google” and “connect to Facebook” buttons on websites and mobile apps. Click the button and a screen opens that says, “This app wants to access your public profile, contacts…” and asks you whether you want to give access. This is OAuth at a high level. Understanding these protocols is crucial for every software engineer, security expert, and even hacker.
TL;DR
A complete guide to OAuth 2.0 and OpenID Connect, the two most widely used protocols on the internet today for authorization and authentication. OAuth 2.0 is used for authorization and OpenID Connect is used for authentication. There are two most common OAuth 2.0 authorization flows, authorization code flow for server-side applications, and implicit flow for browser-based applications. OpenID Connect is an identity layer on top of the OAuth 2.0 protocol to make OAuth suitable for the authentication use cases.
Why OAuth?
To understand the reason for the birth of OAuth we need to understand a term called Delegated Authorization.
Delegated authorization
Delegated authorization is an approach to allowing a third-party application access to a user’s data.
Two approaches to delegated authorization
There are two approaches for delegated authorization, whether you give the third-party application your account password so they can login into your account on your behalf and access your data or you grant the application to access your data using OAuth without giving your password (and none of us will give our password!).
Now we know the need and importance of OAuth, let’s dive deeper into the protocol.
What is OAuth?
OAuth (Open Authorization) is a standard protocol for delegated authorization. It allows applications to access user data without the user’s password.
