Overview[1]#

OAuth 2.0 NOT an Authentication protocol

OAuth Not for Authentication

[2]

OAuth 2.0 is NOT an Authentication protocol. (But you could build one on top of OAuth 2.0 as is done with OpenID Connect

OAuth 2.0 is NOT an Authorization protocol.

OAuth 2.0 is often called an authorization protocol, even the RFC 6749 is called "The OAuth 2.0 Authorization Framework". However, OAuth 2.0 is a delegation protocol.

What is delegated is a subset of the a user’s authorization. OAuth 2.0 does not even perform the Authorization but rather provides a protocol where a OAuth Client can request that a user delegate some of their authority. The user can then approve, or deny, the request, and the OAuth Client can then act on it with the results of that approval.

OAuth 2.0 provides for the Delegation of Authorization

• By the Resource Owner
• to the OAuth Client
• for Resource Server

OAuth 2.0 uses delegation for user authentication to the service that hosts the Resource Owner (user) account [4]

The problem with OAuth 2.0 for Authentication [3]#

A nice article on The problem with OAuth for Authentication

More Information#

There might be more information for this subject on one of the following:

• Authentication Protocol
• OAuth 2.0
• OAuth 2.0 for Native Apps
• OAuth Scope Example
• What is missing in OAuth 2.0

---

• [#1] - not an authentication protocol - based on information obtained 2015-07-05
• [#2] - A sample of the slides that won me #CISNOLA #TrackBattle.
• [#3] - The problem with OAuth for Authentication
• [#4] - An Introduction to OAuth 2
• [#5] - OAuth 2.0 NOT an Authentication protocol
• [#6] - OAuth is not Authentication - 2 min. OAuth #9 - based on information obtained 2018-10-15-
• [#7] - OAuth 2.0 and Sign-In - based on information obtained 2015-07-16