Overview#
OAuth 2.0 is about Delegation not AuthorizationOAuth 2.0 is NOT an Authentication protocol. (But you could build one on top of OAuth 2.0 as is done with OpenID Connect)
OAuth 2.0 is NOT an Authorization protocol.
OAuth 2.0 is often called an authorization protocol, even the RFC 6749 is called "The OAuth 2.0 Authorization Framework". However, OAuth 2.0 Authorization is a delegation protocol.
What is delegated is a subset of the a Resource Owner (user)’s authorization. OAuth 2.0 does NOT even perform the Authorization but rather provides a protocol (via Authorization Request) where a OAuth Client can request that a user delegate some of their authority. The Resource Owner (user) can then approve, or deny, the request, and the OAuth Client can then act on it with the results of that approval.
OAuth 2.0 Authorization provides for the Delegation of Authorization
- By the Resource Owner
- to the OAuth Client
- for Resource Server