DEV Community

loading...

OAuth 2 Spec is misunderstood, why?

bam92 profile image Abel Lifaefi Mbula ・1 min read

I'm writing a course on OAuth2 and OIDC. But I'm a bit sorry to see that when I search the web, most of the articles mislead users about OAuth. In most of them, they deal with OAuth as a way to authenticate. That is not correct, it is a misuse of this framework or standard. OAuth is short for open authorization.

Let's get the definition from the body authority, Internet Engineering Task Force (IETF):

enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service or by allowing the third-party application to obtain access on its own behalf.

That's said, OAuth deals with delegated authorization nothing to have with authentification which consists of verifying if the user is what they claim they are.

I found a good post here on DEV that tries to explain well.

And you, did you also notice the misuse of OAuth? Share with us.

Discussion (0)

pic
Editor guide