I've played with OAuth2 a fair amount, and OpenID Connect to a lesser amount - writing both client and server implementations. And whilst the specs are actually really quite thorough, there's a lot of ideas that can be difficult to get to grips with when you first start. So, here's a stab at making the whole thing easier to understand.
At it's absolute heart, OAuth2 is not an authentication system. Instead, it is about Delegated Authorization. What this means is that it's a system that allows one system to act on behalf of another user.
Confused? Here's an example. Joe is using SomeFancyPhotoSite. SomeFancyPhotoSite wants permission to post to Google+ on Joe's behalf. So what happens is, SomeFancyPhotoSite initiates an OAuth2 session with Google, requiring Joe to log in. The end result of this, if Joe as accepting, is that SomeFancyPhotoSite has an Access Token from Google+ that represents Joe giving permission to post there. SomeFancyPhotoSite is now able to use this Access Token to post to Google+ with Joe's permission.
So how do we use this for Authentication? In a way, that's relatively simple. As soon as you've got the Access Token, you have proof that someone has authenticated against Google+. What the Access Token doesn't tell you is who has authenticated. There are two ways to solve this.
- If the authenticating system uses OpenID Connect then you can request what's called an id_token at the time they authenticate. This ID Token is a special token that contains, amongst other things, the ID of the user that has just authenticated.
- You can use the Access Token to retrieve the current users User Profile from the system they have authenticated with. This can often give more information than just the User ID that you can then make use of, but beware of using data that you shouldn't have access to.
At this point, we have proof that somebody has authenticated, and we have proof of who they are. This is everything we need to use OAuth2 for Authentication. You can now progress on in your application knowing that the user has been authenticated by somebody, and with enough information to know who they are in terms of your own data.