← Lessons

quiz vs the machine

Platinum1740

System Design

OAuth and OpenID Connect

Delegating authorization with OAuth and adding identity with OpenID Connect.

6 min read · advanced · beat Platinum to climb

Two different jobs

People confuse these constantly. OAuth is about authorization: letting an app act on a resource on your behalf without your password. OpenID Connect sits on top of OAuth and adds authentication: telling the app who you are.

The authorization code flow

  • The user is redirected to the authorization server to log in and consent.
  • The app receives a short lived authorization code, not the credentials.
  • The app exchanges the code at the token endpoint for an access token, and with OpenID Connect also an ID token.
  • The access token authorizes API calls; the ID token proves the user identity.

Why the code exchange matters

The code is exchanged server side using the app secret, so tokens are never exposed in the browser URL. This is far safer than older flows that returned tokens directly.

Key idea

OAuth delegates authorization and OpenID Connect adds identity, with the authorization code flow exchanging a code for tokens server side.

Check yourself

Answer to earn rating on the learn ladder.

1. What does OpenID Connect add on top of OAuth?

2. Why exchange an authorization code instead of returning tokens directly?

3. What is the access token used for?