Devii · APIs & integration · 2026-05-06 · 9 min read
OAuth 2.0 And OpenID Connect: Authorization Vs Authentication
Clear definitions from IETF and OpenID specs: when to use authorization code flow, what an ID token is, and what OIDC adds.
**OAuth 2.0** (RFC 6749 and related BCPs) is an **authorization** framework: it lets a client obtain limited access to a resource on behalf of a user, without handing the client the user's password. **OpenID Connect (OIDC)** builds on OAuth 2.0 to provide **authentication**: an **ID token** (a JWT in typical profiles) asserts who signed in.
For web apps, the **authorization code flow** with **PKCE** (RFC 7636) is the modern default for public clients. Confidential server-side apps exchange the code at a token endpoint using client authentication. Implicit flows are legacy; current BCPs discourage them for new work.
Terms to use precisely: **scopes** limit authorization; **claims** describe the subject in tokens; **issuer (`iss`)** and **audience (`aud`)** must validate on every token you accept. Federation links your app to an identity provider (Auth0, Entra ID, Okta, Keycloak, etc.) using the same standards.
Read `openid.net/specs` and the IETF OAuth working group drafts marked as BCP before implementation. This article does not endorse a specific vendor.