OAuth 2.0 and OpenID Connect: A Practical Guide for Web Developers
Learn the difference between OAuth 2.0 and OpenID Connect, how authorization code with PKCE works, and how to handle tokens and scopes safely.
On this page
OAuth 2.0 is an authorization framework for accessing protected resources. OpenID Connect (OIDC) adds an identity layer so a client can verify who signed in. Understanding the distinction prevents treating an access token as proof of identity.
#Authentication and authorization
Authentication answers who the user is; authorization answers what the user may do. OAuth is primarily delegated authorization. OIDC defines identity claims. Your API still enforces permissions on every protected operation.
#Authorization code with PKCE
For browser and mobile applications, authorization code with PKCE is a modern flow. The client creates a verifier and challenge, redirects the user with client, redirect URI, scopes, state, and challenge, validates the returned state, and exchanges the code with the verifier.
Use an exact registered redirect URI. Never accept an arbitrary redirect destination from a query parameter.
#Tokens and scopes
Access tokens are credentials for an API. ID tokens are identity assertions for the client. Validate issuer, audience, signature, expiry, and nonce where applicable. Refresh tokens are high-value secrets that need secure storage, rotation, and revocation.
Scopes describe delegated access. Roles, tenants, and application permissions still need explicit authorization checks in the resource server.
#Sessions and CSRF
State binds an authorization response to the browser session. Cookies need deliberate SameSite, Secure, and HttpOnly settings. CORS does not replace CSRF protection, and tokens should never be placed in URLs or logs.
#Service-to-service OAuth
Backend services can use a client-credentials style flow when no end user is involved. Give each service its own identity and minimum scopes. Rotate secrets or use workload identity where the platform supports it.
#Testing and mistakes
Test denied consent, invalid state, expired codes, wrong audiences, missing scopes, revoked refresh tokens, provider outages, and account linking. Common mistakes include skipping PKCE, accepting any redirect URI, trusting decoded JWT claims without validation, and using an ID token to authorize an API.
#Frequently asked questions
#Is OAuth an authentication protocol?
OAuth is mainly authorization. OpenID Connect adds standardized identity.
#What is PKCE for?
PKCE binds the code exchange to the client that started it and protects public clients from interception.
#Conclusion
Secure OAuth and OIDC integrations depend on precise boundaries. Choose the right flow, validate the full token context, protect redirect and session state, separate identity from authorization, and test failure cases.