OAuth 2.0 Authorization


OAuth 2.0 is about Delegation not Authorization

OAuth 2.0 is NOT an Authentication protocol. (But you could build one on top of OAuth 2.0 as is done with OpenID Connect)

OAuth 2.0 is NOT an Authorization protocol.

OAuth 2.0 is often called an authorization protocol, even the RFC 6749 is called "The OAuth 2.0 Authorization Framework". However, OAuth 2.0 Authorization is a delegation protocol.

What is delegated is a subset of the a Resource Owner (user)’s authorization. OAuth 2.0 does NOT even perform the Authorization but rather provides a protocol (via Authorization Request) where a OAuth Client can request that a user delegate some of their authority. The Resource Owner (user) can then approve, or deny, the request, and the OAuth Client can then act on it with the results of that approval.

OAuth 2.0 Authorization provides for the Delegation of Authorization

More Information#

There might be more information for this subject on one of the following: