- Tokens
- Access Tokens
- Refresh Tokens
- ID Tokens
- Proof-of-Possession (PoP) Tokens
-
Grant Type
- Scopes
- PKCE (RFC 7636)
- Client Management
- Authorization Requests
-
User Authentication
- Using OAuth 2.0 for User Authentication
- Error Handling
- Client Authentication
- Introspection
- Userinfo Endpoint
- JARM
- Device Flow (RFC 8628)
Using OAuth 2.0 for User Authentication
OAuth 2.0 is a framework for access delegation and NOT a user authentication protocol. You should not use so-called "OAuth Authentication," that is old and insecure practice.
Ref: The problem with OAuth for Authentication by John Bradley.
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
We recommend using OpenID Connect for user authentication. In this protocol, relying parties (RP) can request identity providers (IdP) to issue an ID token instead or in addition to an access token. The ID token contains a unique user identifier so that RPs can identify the user with the value.
Ref: The problem with OAuth for Authentication by John Bradley.
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
We recommend using OpenID Connect for user authentication. In this protocol, relying parties (RP) can request identity providers (IdP) to issue an ID token instead or in addition to an access token. The ID token contains a unique user identifier so that RPs can identify the user with the value.
How did we do with this article?