OAuth 2.0 NOT an Authentication protocol


OAuth 2.0 NOT an Authentication protocol

OAuth Not for Authentication

OAuth 2.0 is NOT an Authentication protocol. (But you could build one on top of OAuth 2.0 as is done with OpenID Connect

OAuth 2.0 is NOT an Authorization protocol.

OAuth 2.0 is often called an authorization protocol, even the RFC 6749 is called "The OAuth 2.0 Authorization Framework". However, OAuth 2.0 is a delegation protocol.

What is delegated is a subset of the a user’s authorization. OAuth 2.0 does not even perform the Authorization but rather provides a protocol where a OAuth Client can request that a user delegate some of their authority. The user can then approve, or deny, the request, and the OAuth Client can then act on it with the results of that approval.

OAuth 2.0 provides for the Delegation of Authorization

OAuth 2.0 uses delegation for user authentication to the service that hosts the Resource Owner (user) account [4]

The problem with OAuth 2.0 for Authentication [3]#

A nice article on The problem with OAuth for Authentication

More Information#

There might be more information for this subject on one of the following: