OAuth Authorization vs Authentication

by

OAuth is a specification for authorization

OAuth 2.0 is a specification for authorization, but NOT for authentication. RFC 6749, 3.1. Authorization Endpoint explicitly says as follows:

The authorization endpoint is used to interact with the resource owner
and obtain an authorization grant. The authorization server MUST first
verify the identity of the resource owner. The way in which the
authorization server authenticates the resource owner (e.g., username
and password login, session cookies) is beyond the scope of this
specification.

OAuth authentication?

Authentication deals information about “who one is”. Authorization deals information about “who grants what permissions to whom”. Authorization flow contains authentication as its first step. It is the reason people are often confused.

There are many libraries and services that use OAuth 2.0 for authentication. It is often called “social login” and It makes people more confused. If you see “OAuth authentication” (not “OAuth authorization”), it is a solution using OAuth for authentication.

OpenID Connect

OpenID 1.0 and OpenID 2.0 are old specifications for authentication. Those who made the specifications expected people to use OpenID for authentication. However, some people began to use OAuth 2.0 for authentication (not for authorization) and OAuth authentication has prevailed rapidly.

From a viewpoint of OpenID guys, authentication based on OAuth was not secure enough, but they had to admit that people preferred OAuth authentication. As a result, OpenID guys decided to define a new specification, OpenID Connect, on top of OAuth 2.0.

Yes, this has made people much more confused.

One-sentence definitions of OAuth 2.0 and OpenID Connect

OAuth 2.0 is a framework where a user of a service can allow a third-party application to access his/her data hosted in the service without revealing his/her credentials (ID & password) to the application.

enter image description here

OpenID Connect is a framework on top of OAuth 2.0 where a third-party application can obtain a user’s identity information which is managed by a service.

enter image description here

(Sorry, these definitions are excerpts from the overview page of my company)

Definitions from a viewpoint of implementors

Authentication is a process to determine the subject (= unique identifier) of an end-user. There are many ways to determine the subject. ID & password, fingerprints, iris recognition, etc.

Authorization is a process to associate the subject with the requested permissions and the client application that requested the permissions. An access token represents the association.

See Also

  1. Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings
  2. Diagrams And Movies Of All The OAuth 2.0 Flows
  3. Diagrams of All The OpenID Connect Flows
  4. The Simplest Guide To OAuth 2.0

More Related Contents:

  1. How is OAuth 2 different from OAuth 1?
  2. How to validate an OAuth 2.0 access token for a resource server?
  3. What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?
  4. Why do access tokens expire?
  5. OAuth 2.0: Benefits and use cases — why?
  6. What is the purpose of the implicit grant authorization type in OAuth 2?
  7. Difference between OAuth 2.0 “state” and OpenID “nonce” parameter? Why state could not be reused?
  8. JWT (Json Web Token) Audience “aud” versus Client_Id – What’s the difference?
  9. OAuth 2.0 with Google Analytics API v3
  10. gapi.auth.signOut(); not working I’m lost
  11. LinkedIn OAuth2: “Unable to verify access token”
  12. Why Does OAuth v2 Have Both Access and Refresh Tokens?
  13. Can I really not ship open source with Client ID? [closed]
  14. CORS issue while making an Ajax request for oauth2 access token
  15. How to validate Azure AD security token?
  16. Why is there an “Authorization Code” flow in OAuth2 when “Implicit” flow works so well?
  17. What are the main differences between JWT and OAuth authentication?
  18. What is the OAuth 2.0 Bearer Token exactly?
  19. What is the difference between Google Identity Toolkit, Google OAuth, Firebase Auth and Google+ sign in
  20. Spring OAuth redirect_uri not using https
  21. Sign in with Google temporarily disabled for this app
  22. Disable checkboxes on Google consent screen
  23. What exactly is OAuth (Open Authorization)?
  24. How to change Google consent screen email?
  25. Should jwt web token be encrypted?
  26. Twitter API – Logout
  27. Refresh token using Omniauth-oauth2 in Rails application
  28. Google API OAuth2, Service Account, “error” : “invalid_grant”
  29. Netsuite OAuth Not Working
  30. Securing my REST API with OAuth while still allowing authentication via third party OAuth providers (using DotNetOpenAuth)

Leave a Comment