Overview[1]#
OAuth 2.0 NOT an Authentication protocol |
OAuth 2.0 is NOT an Authentication protocol. (But you could build one on top of OAuth 2.0 as is done with OpenID Connect
OAuth 2.0 is NOT an Authorization protocol.
OAuth 2.0 is often called an authorization protocol, even the RFC 6749 is called "The OAuth 2.0 Authorization Framework". However, OAuth 2.0 is a delegation protocol.
What is delegated is a subset of the a user’s authorization. OAuth 2.0 does not even perform the Authorization but rather provides a protocol where a OAuth Client can request that a user delegate some of their authority. The user can then approve, or deny, the request, and the OAuth Client can then act on it with the results of that approval.
OAuth 2.0 provides for the Delegation of Authorization
- By the Resource Owner
- to the OAuth Client
- for Resource Server
The problem with OAuth 2.0 for Authentication [3]#
A nice article on The problem with OAuth for Authentication
More Information#
There might be more information for this subject on one of the following:- Authentication Protocol
- OAuth 2.0
- OAuth 2.0 for Native Apps
- OAuth Scope Example
- What is missing in OAuth 2.0
- [#1] - not an authentication protocol - based on information obtained 2015-07-05
- [#2] - A sample of the slides that won me #CISNOLA #TrackBattle.
- [#3] - The problem with OAuth for Authentication
- [#4] - An Introduction to OAuth 2
- [#5] - OAuth 2.0 NOT an Authentication protocol
