OAuth2 is a popular authorization and consent protocol that has been widely adopted by developers to enable third-partyapplications to access user data.
Good to know
If you are looking for a system that implements registration, login, password reset, social sign in, profile management, 2fa, andmore, check out Ory Identities first!
However, OAuth2 is often misunderstood as a Login solution when, in fact, it's an authorization protocol that allows users togrant consent to third-party applications to access their data. In this article, we will clear up the misconceptions surroundingOAuth2 and provide insights on when it's the best authentication solution for your project. By the end of this article, you'llhave a better understanding of OAuth2 and how it differs from a Login solution, such as Ory Identities.
Whether to use OAuth2 and OpenID Connect depends on the use case. At Ory, we have worked with many software companies and haveseen many use cases where OAuth2 and OpenID Connect made sense (or not). If your project involves one of the following, thenyou'll likely need OAuth2 and OpenID Connect:
- If you already rely on OAuth2 and OpenID Connect because you use a product like Auth0 or Keycloak, then you should continueusing these protocols to prevent excessive refactoring costs.
- If you want to enable other companies and developers to access the data of your users with their consent, then OAuth2 and OpenIDConnect are essential. OAuth2 enables users to grant consent to third-party applications to access their data, providing asecure way to authenticate user requests.
- If you need to solve token-based machine-to-machine authorization, then OAuth2 and OpenID Connect are essential. OAuth2 providesa secure and scalable way to authenticate machine-to-machine requests.
- If you have a large variety of client applications on IoT devices like smart TVs, then OAuth2 and OpenID Connect can be helpful.
There are, of course, more use cases where OAuth2 and OpenID Connect make sense.
However, if your project involves one of the following, then you probably don't need OAuth2:
- If you need login, registration, profile settings, account verification, and account recovery.
- If you want to add social sign-in ("Sign in with Google") to your app or website.
- If you are building a new mobile app or single-page app backed by an API, then using a traditional "Login" solution.
In conclusion, whether to use OAuth2 and OpenID Connect depends on the use case. If your project involves enabling third-partyapplications to access user data, machine-to-machine authorization, or a large variety of client applications on IoT devices, thenyou'll likely need OAuth2 and OpenID Connect.
Note: An in-depth blog post on this topic is also available at"Do you need OAuth2?". For a more in-depthunderstanding of when to use OAuth2 and OpenID Connect, as well as more examples of use cases, we recommend checking out our blogpost.
FAQs
If you want to enable other companies and developers to access the data of your users with their consent, then OAuth2 and OpenID Connect are essential. OAuth2 enables users to grant consent to third-party applications to access their data, providing a secure way to authenticate user requests.
Why is it a bad idea to use OAuth 2.0 for authentication? ›
OAuth2 is not an authentication (login) protocol!
The purpose of OAuth2 Tokens is to authorize requests at a first-party server (or API). If the third party uses the OAuth2 Access Token as proof of authentication, an attacker could easily impersonate a legitimate user.
What problem does OAuth2 solve? ›
OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.
What is the main advantage of OAuth 2.0 over other authorization methods? ›
What Are the Benefits of OAuth 2? Key benefits of OAuth 2 include: User-friendly: Since it doesn't require users to share their credentials with third party applications, OAuth 2 improves the user experience by allowing users to access multiple applications with one set of login credentials.
What is better than OAuth2? ›
Security issues with OAuth2 are best addressed by choosing the right OAuth2 authorization flow for your application based on your use case, and not by token type. The advantage of using JWT over OAuth2 is improved performance and reduced process complexity for some processes.
What is a real life example of OAuth2? ›
A real life example
Here the Authorization Grant flow is now transferring you on the Twitter website where you are asked to enter username and password. You don't have to share your Twitter username and password with LinkedIn. You are just authorizing LinkedIn to do some stuff for you.
Is OAuth2 obsolete? ›
It states that OAuth 2.0 is deprecated.
What's a benefit of using OAuth instead of your own basic authentication? ›
Enhanced Security: OAuth does not require users to provide their credentials directly to third parties, significantly reducing the risk of credential exposure.
What is OAuth 2.0 in layman's terms? ›
OAuth 2.0 enables the resource owner (i.e., the user) to give the client (i.e., the third-party application) access to their data without having to share their credentials. Instead, the credentials are shared with the authorization server, which issues an access token to the client.
What are the risks of OAuth2? ›
The redirect URI is a critical component in the OAuth 2.0 flow, determining where the authorization server sends the user after granting or denying access. Attackers can manipulate this URI to redirect users to malicious sites, potentially leading to phishing attacks or the theft of the authorization code.
REST API security is important to prevent unauthorized access to data. There are two main ways to secure REST APIs: API keys and OAuth tokens. API keys are good for read-only data, but not as good for authorization. OAuth tokens are better for authorization, but can be more complex to implement.
Should I use OpenID or OAuth2? ›
So, if you're looking for a way to authenticate your users, go with OpenID Connect. If you're looking for a robust way to manage a user's authorization, go with OAuth2. Ultimately, if your application needs it, you can use both.
When to use OAuth2 vs JWT? ›
OAuth is used for authorization to access resources on behalf of an owner, while JWT is used for authentication and exchanging information. When should I use OAuth vs JWT? You should use OAuth when you want to delegate user authorization and access to a third-party application.
When to use SAML vs OAuth? ›
While SAML is better to secure information, it makes sense to use OAuth when user experience is a priority, for example, on mobile devices or for quick logins and temporary access. OIDC was designed to be used with OAuth to provide single-sign-on (SSO) access to HTTPS endpoints.
How does OAuth 2.0 work in Rest API? ›
OAuth 2.0 is a standard for implementing delegated authorization, and authorization is based on the access token required to access a resource. The access token can be issued for a given scope, which defines what the access token can do and what resources it can access.
When should I use two factor authentication? ›
Implementing 2FA within a business or personal setting is beneficial in protecting vulnerable networks and databases. With a mobile device, you can generate your own codes, or tokens, to provide a unique set of letters/numbers to verify your identity.
When should I use http2? ›
HTTP/2 offers a feature called weighted prioritization. This allows developers to decide which page resources will load first, every time. In HTTP/2, when a client makes a request for a webpage, the server sends several streams of data to the client at once, instead of sending one thing after another.