OWASP · pankajtaneja5 · Aug 30, 2025 · Aug 31, 2025 · Aug 31, 2025 · Sep 1, 2025
@@ -303,21 +303,15 @@ Enable logging and monitoring of authentication functions to detect attacks/fail
 
 While authentication through a combination of username, password, and multi-factor authentication is considered generally secure, there are use cases where it isn't considered the best option or even safe. Examples of this are third-party applications that desire to connect to the web application, either from a mobile device, another website, desktop, or other situations. When this happens, it is NOT considered safe to allow the third-party application to store the user/password combo, since then it extends the attack surface into their hands, where it isn't in your control. For this and other use cases, there are several authentication protocols that can protect you from exposing your users' data to attackers.
 
-### OAuth
+### OAuth 2.0
 
-Open Authorization (OAuth) is a protocol that allows an application to authenticate against a server as a user, without requiring passwords or any third-party server that acts as an identity provider. It uses a token generated by the server and provides how the authorization flows most occur, so that a client, such as a mobile application, can tell the server what user is using the service.
+**OAuth 2.0 is an authorization framework**, not an authentication protocol. It enables a client to obtain scoped, time-limited access to protected resources via access tokens issued by an authorization server. Use OAuth 2.0 for **authorization** (delegating access to APIs and resources). For end user authentication/SSO, use **OpenID Connect (OIDC)** (see below).
 
-The recommendation is to use and implement [OAuth 2.0](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics) since the very first version (OAuth1.0) has been found to be vulnerable to session fixation.
+See also: [OAuth 2.0 Cheat Sheet](OAuth2_Cheat_Sheet.md)
 
-OAuth 2.0 relies on HTTPS for security and is currently used and implemented by APIs from companies such as Facebook, Google, Twitter, and Microsoft. OAuth 1.0a is more difficult to use because it requires the use of cryptographic libraries for digital signatures. However, since OAuth 1.0a does not rely on HTTPS for security, it can be more suited for higher-risk transactions.
+### OpenID Connect (OIDC)
 
-### OpenId
-
-OpenId is an HTTP-based protocol that uses identity providers to validate that a user is who they say they are. It is a very simple protocol that allows a service-provider-initiated way for single sign-on (SSO). This allows the user to reuse a single identity given to a trusted OpenId identity provider and be the same user on multiple websites, without the need to provide any website with the password, except for the OpenId identity provider.
-
-Due to its simplicity and that it provides protection of passwords, OpenId has been well adopted. Some of the well-known identity providers for OpenId are Stack Exchange, Google, Facebook, and Yahoo!
-
-For non-enterprise environments, OpenId is considered a secure and often better choice, as long as the identity provider is of trust.
+**OpenID Connect 1.0 (OIDC)** is an identity layer built **on top of OAuth 2.0**. It defines how a client (Relying Party) verifies the end-user’s identity using an **ID Token** (a signed JWT) and how to obtain user claims in an interoperable way. Use OIDC when you need **authentication/SSO**; use OAuth 2.0 for **authorization** to APIs. Validate ID Tokens (issuer, audience, signature, expiry) on the relying party and prefer well-maintained libraries or provider SDKs.
 
 ### SAML