4

Can Oauth2 be used for authorization and authentication?

As I understand it, Oauth2 authorizes a consumer application to access user information from providers (e.g. Facebook, Google, Twitter, etc).

But can Oauth2 be used to authenticate a user? For example, suppose we have an app comprised of native mobile frontends and a backend api - can Oauth2 be used to valid and maintain authentication on top of the authorization from providers like Facebook, Google, Twitter, etc?

If yes, how? For example, do we persistent the auth token and use it as a session token? Or is OpenId Connect required for authenticating users to a "consumer" app via third-party providers?

phwd
  • 19,975
  • 5
  • 50
  • 78
Ari
  • 4,121
  • 8
  • 40
  • 56

1 Answers1

6

OAuth 2.0 in its spec-compliant form cannot be used for user authentication. Having said that, one can develop an extension to OAuth 2.0 that would allow for user authentication. Some providers, e.g. Facebook, have done just that.

But there is also a standardized extension of OAuth 2.0 that allows for user authentication, called OpenID Connect. OpenID Connect is required indeed if you want to authenticate users to a consumer app via 3rd party providers in a standardized way. The token format of OpenID Connect is a JWT and the token itself is called id_token. You may use an id_token as a session token.

For an extensive article on OAuth 2.0 and user authentication see http://oauth.net/articles/authentication/

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • And see https://developers.google.com/accounts/docs/GettingStarted and https://developers.google.com/accounts/docs/OpenIDConnect for Google APIs. – albodelu Mar 12 '15 at 03:53