Reputation: 9298
Is OAuth2 Authorization Code flow an authentication protocol?
According to the following documentation, I understand that OAuth2 is an Authorization protocol:
Considering that OAuth 2.0 authorization code flow is an authorization protocol, why in many application types and scenarios (including the code example below), authorization code flow is used to authenticate a user (using its password) then provides an access token to the application.
https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop
The confusion I have is that most OAuth2 flows use a user's password to identify her/him then provide an access token to the application.
As another example, I learned that PowerApps portal uses OAuth2 PKCE to identify users through B2C. It seems that PowerApps uses OAuth2 PKCE to authenticate users, not authenticate them. I was expecting OpenID Connect should be used for such a scenario.
Is OAuth2 Authorization Code flow an authentication or authentication protocol or both of them?
Upvotes: 0
Views: 428
Answers (1)
Reputation: 46720
Yes, OAuth2 is an authorization protocol.
It did not provide a consistent way to authenticate and the social providers e.g. Facebook, Twitter etc. then rolled their own authentication models to provide this service.
As a result, OpenID Connect was developed. This provides a standard way to authenticate and is built on top of OAuth2.
(There was an earlier standard called OpenID for authentication but that is not often used now).
As per this:
"OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that you can use to securely sign in a user to an application. When you use the Microsoft identity platform's implementation of OpenID Connect, you can add sign-in and API access to your apps.
OpenID Connect extends the OAuth 2.0 authorization protocol for use as an authentication protocol, so that you can do single sign-on using OAuth.
OpenID Connect introduces the concept of an ID token, which is a security token that allows the client to verify the identity of the user.
The ID token also gets basic profile information about the user. It also introduces the UserInfo endpoint, an API that returns information about the user".
PKCE is for "OAuth 2.0 public clients utilizing the Authorization Code Grant.
These are susceptible to authorization code interception attacks.
This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy")".
So after authenticating with OIDC, PKCE makes the Authorization Code Grant flow more secure.
Upvotes: 4
Related Questions
- Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?
- The differences between authentication protocols and authentication flows
- Is Active Directory not supporting Authorization Code Flow with PKCE?
- Azure B2C - 2 Applications, Different Protocols
- Azure AD ADAL Implicit flow clarification
- Azure AD B2C - Auth code flow vs implicit grant flow based on client types
- Understanding Azure B2C Auth flow - Oauth 2.0 and openID connect
- Does Azure Active Directory B2C work with Oauth or Open ID?
- Is the OAuth2 implicit flow always 3-legged?
- oauth2 - Authorization Flow