13 What are OAuth 2 and OpenID Connect?

This chapter covers

The purpose of access tokens
How tokens are issued and validated in an OAuth 2 system
The roles involved in an OAuth 2/OpenID Connect system

Suppose you work for a large organization and use several tools in your daily work. You use bug tracker apps, apps for documenting your work, apps for registering your time, and so on. In each one, you need to authenticate tools to work with them. Would you use different sets of credentials for these apps? Of course, doing so could work, but this approach would be cumbersome for the user (you), and it would also complicate the purpose of the apps you work with.

For you, the complexity comes from the fact that you’d have to remember the credentials and log in several times in each of the apps you use. For the apps, the added complexity comes from the fact that they’d also need to implement the capability of persisting and protecting the credentials and the actual authentication.

13.1 The big picture of OAuth 2 and OpenID Connect

13.2 Using various token implementations

13.2.1 Using opaque tokens

13.2.2 Using non-opaque tokens

13.3 Obtaining tokens through various grant types

13.3.1 Getting a token using the authorization code grant type

13.3.2 Applying PKCE protection to the authorization code grant type

13.3.3 Getting a token with the client credentials grant type

13.3.4 Using refresh tokens to get new access tokens

13.4 What OpenID Connect brings to OAuth 2

13.5 The sins of OAuth 2

Summary