OAuth 2.0: Benefits and use cases — why?

Question

Could anyone explain what\'s good about OAuth2 and why we should implement it? I ask because I\'m a bit confused about it — here\'s my current thoughts:

OAuth1 (more

Answer 1

First, as clearly indicated in OAuth authentication

OAuth 2.0 is not an authentication protocol.

Authentication in the context of a user accessing an application tells an application who the current user is and whether or not they're present. A full authentication protocol will probably also tell you a number of attributes about this user, such as a unique identifier, an email address, and what to call them when the application says "Good Morning".

However, OAuth tells the application none of that. OAuth says absolutely nothing about the user, nor does it say how the user proved their presence or even if they're still there. As far as an OAuth client is concerned, it asked for a token, got a token, and eventually used that token to access some API. It doesn't know anything about who authorized the application or if there was even a user there at all.

There is a standard for user authentication using OAuth: OpenID Connect, compatible with OAuth2.

The OpenID Connect ID Token is a signed JSON Web Token (JWT) that is given to the client application along side the regular OAuth access token. The ID Token contains a set of claims about the authentication session, including an identifier for the user (sub), the identifier for the identity provider who issued the token (iss), and the identifier of the client for which this token was created (aud).

In Go, you can look at coreos/dex, an OpenID Connect Identity (OIDC) and OAuth 2.0 Provider with Pluggable Connector.

Answer from this post vonc