Why OAuth2 is not for authentication.

If you are like me, you might have thought OAuth 2 is for both authentication and authorization. After all, the main OAuth 2 flows ( Authorization Code, Implicit, User Credentials ) all require a resource owner to authenticate against an authorization server.  In this post, I’ll talk about some of the reasons I’ve learned why OAuth 2 is not for authentication.

Continue reading