|
|
|
|
|
|
by cobralibre
4147 days ago
|
|
|
It's true, OAuth 2.0 alone isn't intended to be used for authentication. Think of it this way: An OAuth access token is often described as being analogous to a valet key — anybody bearing the valet key can unlock whatever it is that the valet key unlocks, but this says nothing about the bearer of the valet key. Google now uses an OAuth 2.0 extension called OpenID Connect. This introduces an entity that's analogous to a referral letter [1], the ID token. It's basically a little string of encoded (possibly encrypted, possibly signed) JSON containing 'claims' about the authentication state of the end user. The client application can then validate that token to confirm to its satisfaction that the authentication happened for some particular user — and that the ID token was created for it and not some other application. [1] http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-diff... |
|
|