[ratiolat]

I wish they renamed the thing to OAuthorize. The current name is confusing. It's not for AUTHentication, it's for AUTHorization.

[ancymon]

Isn't it other way around? Authentication is about confirming one's identity and that's what oAuth is used for. Authorization is about giving proper permissions and that's what happens after you get authenticated and has nothing to do with oAuth. Am I missing something?

[preommr]

It's really stupid because it is an authorization protocol that people use for authentication because if you have access to certain resources, it implies you're a particular user.

[tenplusfive]

OAuth 2.0 is meant for Authorization. Multiple parties used if for Authentication, which is why a standardized Authentication layer was built on top of OAuth which is called OpenID Connect.

[magicalhippo]

No, I believe you got it 100% backwards.

See the diagram in the RFC[1] and section 1.3 just below it. Sure OAuth usually involves authentication, but OAuth doesn't really care how it's done.

Then again, not my field of expertise so I might be wrong.

[1]: https://tools.ietf.org/html/rfc6749#section-1.2