What is the difference between OAuth and OpenID Connect?

OAuth 2.0 is an authorization framework — it answers "what can this app do?" OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 — it additionally answers "who is this user?" by providing a standardized ID token (a JWT) with user profile information.

What is PKCE and why is it required for public clients?

PKCE (Proof Key for Code Exchange) is an extension to the Authorization Code Flow that prevents authorization code interception attacks. Public clients (mobile apps, SPAs) cannot safely store a client secret, so PKCE uses a cryptographically random code verifier to bind the authorization request to the token exchange.

What is the difference between access tokens and refresh tokens?

Access tokens are short-lived credentials (minutes to hours) used to call APIs. Refresh tokens are long-lived credentials (days to months) used only to obtain new access tokens when the current one expires, without requiring the user to re-authenticate.

What is the difference between OAuth and OpenID Connect?

OAuth 2.0 is an authorization framework — it answers "what can this app do?" OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 — it additionally answers "who is this user?" by providing a standardized ID token (a JWT) with user profile information.

What is PKCE and why is it required for public clients?

PKCE (Proof Key for Code Exchange) is an extension to the Authorization Code Flow that prevents authorization code interception attacks. Public clients (mobile apps, SPAs) cannot safely store a client secret, so PKCE uses a cryptographically random code verifier to bind the authorization request to the token exchange.

What is the difference between access tokens and refresh tokens?

Access tokens are short-lived credentials (minutes to hours) used to call APIs. Refresh tokens are long-lived credentials (days to months) used only to obtain new access tokens when the current one expires, without requiring the user to re-authenticate.

What is OAuth? — Authorization Framework Explained

Definition

OAuth 2.0 is an industry-standard authorization framework that allows a user to grant a third-party application limited access to their account on another service without sharing their password. For example, when you click "Sign in with Google" on a website, OAuth is the protocol that lets the website request a specific set of permissions from Google on your behalf, with you explicitly approving what data the website can access.

How It Works

OAuth 2.0 defines several grant flows for different use cases. The most common is the Authorization Code Flow: the client redirects the user to the authorization server, the user authenticates and approves the requested scopes, the server redirects back with an authorization code, and the client exchanges the code for an access token (and optionally a refresh token) using a server-to-server request that includes the client secret. The access token is then included in API requests in the Authorization: Bearer header. Tokens are short-lived; refresh tokens allow obtaining new access tokens without user interaction.

Common Use Cases

▸Implementing "Sign in with Google/GitHub/Facebook" on a website
▸Allowing a third-party app to read a user's calendar without their password
▸Granting CI/CD systems scoped access to repository management APIs
▸Building API authorization where different clients have different permission levels
▸Machine-to-machine authorization using the Client Credentials grant

Example

// Authorization Code Flow
1. Redirect user to:
https://auth.example.com/authorize
  ?response_type=code
  &client_id=my-app
  &scope=read:email
  &redirect_uri=https://myapp.com/callback

2. Exchange code for token:
POST /token
  code=AUTH_CODE
  client_secret=SECRET

3. Use token in API calls:
Authorization: Bearer ACCESS_TOKEN

Related Tools

🔑OAuth Token Debugger

Parse OAuth callback URLs and decode JWT access tokens in one place.

JWTJWT Decoder[HOT]

Decode and inspect JSON Web Token header and payload.

FAQ

What is the difference between OAuth and OpenID Connect?: OAuth 2.0 is an authorization framework — it answers "what can this app do?" OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 — it additionally answers "who is this user?" by providing a standardized ID token (a JWT) with user profile information.
What is PKCE and why is it required for public clients?: PKCE (Proof Key for Code Exchange) is an extension to the Authorization Code Flow that prevents authorization code interception attacks. Public clients (mobile apps, SPAs) cannot safely store a client secret, so PKCE uses a cryptographically random code verifier to bind the authorization request to the token exchange.
What is the difference between access tokens and refresh tokens?: Access tokens are short-lived credentials (minutes to hours) used to call APIs. Refresh tokens are long-lived credentials (days to months) used only to obtain new access tokens when the current one expires, without requiring the user to re-authenticate.

Related Terms

JWT CORS HTTP Headers