And why using OAuth for authentication is not best practice
Authentication vs Authorization
Both words look similar, sound similar, and even can both be abbreviated as “Auth”. However it is a common misunderstanding that these words can be used interchangeably. Heck, even I thought so when I was first learning about the two, and it took me so long to sort the differences out in my head that I decided to write this blog to help others in a similar situation.
So what the heck is the difference??
Authentication - the process of verifying an identity. Is this person who they say they are?
Authorization - the process of verifying that a person has the rights to perform an action. Does this person have permissions to delete the data from this database?
Obviously in the context they are used in 99% of the time in the coding world, its referring to permissions of a Client ID on a server, but it really helps me to think of it as a real person going through a top secret laboratory.
They need to first show their badge and maybe even to a fingerprint scan, a retinal scan or some other sort of top secret scan to prove they are in fact who they say they are. This is authentication.
Next, once inside the lab, in order to access the laboratories computer codes they then need to enter a passcode that tells the system they have the authority to do so. They have already been authenticated but they will still need to prove they have authorization in order to access this info.
But how does all of this relate to OAuth???
OAuth Stands for Open Authorization
Yes, of the two “Auths” it actually is the second step in our top secret lab scenario. OAuth was built as a system where clients verified they have permission to perform whatever task is secured behind the OAuth wall that they are trying to pass through.
When an authorization server issues an access token, the intended audience is the protected resource.
Now in recent years there has become a blur between the two where it was used for authentication as well, which is why there was another protocol called OpenID Connect launched in the mid 2010s to solve this issue once and for all.
From the OpenID Connect documentation:
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
So its not part of OAuth, it is a layer on top of it that handles the authentication of the user during call to the authorization server.
So at a high level that’s the difference between Authorization and Authentication, and also the difference between OAuth2 and OpenID Connect.
For an even more detailed breakdown explained in easy to understand terms Nate Barbettini has an excellent video on the topic that I highly recommend.