API Academy
🌐 English
  • 🌐 English
  • 🌐 繁體中文
HomePetstore APIExplore more APIs
HomePetstore APIExplore more APIs
🌐 English
  • 🌐 English
  • 🌐 繁體中文
🌐 English
  • 🌐 English
  • 🌐 繁體中文
  1. API Security
  • Introduction
  • Table of Contents
  • API Academy
    • Get Started
      • What is an API?
      • How Does an API Work?
      • How to Call an API?
      • How to Read an API Documentation?
      • Chapter Summary
      • Get realtime weather
    • API Fundamentals
      • API Funtamentals: Overview
      • Method & Path
      • Parameters
      • Request Body
      • Responses
      • API Specification & OAS
      • Chapter Summary
    • Working with APIs
      • Working with APIs: Overview
      • Making Requests from Spec
      • Environments and Variables
      • Chaining Multiple Endpoints
      • Handling Authentication
      • Handling API Signatures
      • Introduction to Scripts
      • Chapter Summary
    • Mocking APIs
      • Mocking APIs: Overview
      • Smart Mock
      • Mock Expectations
      • Cloud Mock
      • Mock Scripts
      • Chapter Summary
    • Designing APIs
      • Designing APIs: Overview
      • Introduction to API Design
      • Creating Your First API Project
      • Analyzing Requirements and Planning Your API
      • Designing Data Models
      • Designing Endpoints
      • Using Components and Reusability
      • Setting Up Authentication
      • API Design Guidelines
      • Chapter Summary
    • Developing APIs
      • Developing APIs: Overview
      • Setup: Install Your AI Coding Assistant
      • Quick Start: From Spec to Running API in 30 Minutes
      • Understanding the Generated Code
      • Testing Your API with Apidog
      • Deployment: Put Your API Online
      • Chapter Summary
    • Testing APIs
      • Testing APIs: Overview
      • Getting Started: Your First Test Scenario
      • Integration Testing and Data Passing
      • Dynamic Values
      • Assertions and Validations
      • Flow Control: If, For, ForEach
      • Data-Driven Testing
      • Performance Testing
      • Test Reports and Analysis
      • CI/CD Integration
      • Scheduled Tasks and Automation
      • Advanced Testing Strategies
      • Chapter Summary
    • API Documentations
      • API Documentations: Overview
      • Publishing Your First API Doc
      • Customizing Documentation Appearance
      • Interactive Features for Consumers
      • Advanced Publishing Settings
      • Managing API Versions
      • Chapter Summary
    • Advanced API Technologies
      • API Technologies: Overview
      • GraphQL
      • gRPC
      • WebSocket
      • Socket.IO
      • Server-Sent Events (SSE)
      • SOAP
      • Chapter Summary
    • API Lifecycle
      • API Lifecycle: Overview
      • Stages of the API Lifecycle
      • API Governance
      • API Security Best Practices
      • Monitoring and Analytics
      • API Versioning Strategies
      • The Future of APIs
      • Chapter Summary
    • API Security
      • API Security: Overview
      • API Security Fundamentals
      • Authentication vs Authorization
      • Understanding OAuth 2.0 and OpenID Connect
      • JSON Web Tokens (JWT)
      • OWASP API Security Top 10
      • Encryption and HTTPS
      • Chapter Summary
    • API Tools
      • API Tools: Overview
      • The Evolution of API Tools
      • API Clients
      • Command Line Tools (cURL, HTTPie)
      • API Design and Documentation Tools
      • API Mocking Tools
      • API Testing Tools
      • All-in-One API Platforms
      • Chapter Summary
    • API Gateway
      • API Gateway: Overview
      • What is an API Gateway?
      • Key Features of API Gateways
      • API Gateway vs Load Balancer vs Service Mesh
      • Popular API Gateway Solutions
      • The BFF (Backend for Frontend) Pattern
      • Chapter Summary
  • Modern Pet Store
    • Pet
      • Get Pet
      • Update Pet
      • Delete Pet
      • Create Pet
      • List Pets
      • Upload Pet Image
    • User
      • Update User
      • Get User
      • Delete User
      • Login
      • Logout
      • Create User
    • Store
      • List Inventory
      • Create Order
      • Get Order
      • Delete Order
      • Callback Example
      • Pay for an Order
    • Payments
      • Pay Order
    • Chat
      • Create Chat Completion
    • Webhooks
      • Pet Adopted Event
      • New Pet Available Event
  • Schemas
    • Pet
    • Category
    • User
    • ApiResponse
    • OrderPayment
    • Tag
    • Order
    • Links-Order
    • PetCollection
    • Bank Card
    • Bank Account
    • Links
    • Error
HomePetstore APIExplore more APIs
HomePetstore APIExplore more APIs
🌐 English
  • 🌐 English
  • 🌐 繁體中文
🌐 English
  • 🌐 English
  • 🌐 繁體中文
  1. API Security

Understanding OAuth 2.0 and OpenID Connect

If you work with APIs, you will inevitably encounter OAuth 2.0. It is the industry standard for protocol authorization. Often used alongside it is OpenID Connect (OIDC), which adds an identity layer on top. This article explains how they work together.

What is OAuth 2.0?#

OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. It delegates authentication to the service that hosts the user account and authorizes third-party applications to access the user account.
Key Concept: It allows you to give an app access to your data without giving it your password. (e.g., "Log in with Google").

The Roles#

1.
Resource Owner: The User (You).
2.
Client: The Application attempting to access the user's account (e.g., Apidog, a mobile app).
3.
Authorization Server: The server presenting the login screen and issuing tokens (e.g., Google's Auth Server, Auth0).
4.
Resource Server: The API hosting the protected data (e.g., Google Drive API).

Common Grant Types#

Technically called "flows," these determine how the client gets the token.
1.
Authorization Code Flow: The Gold Standard. Used for server-side apps and mobile/SPA apps (with PKCE).
User is redirected to the Auth Server -> Logs in -> Auth Server redirects back with a "Code" -> Client exchanges Code for Token.
2.
Client Credentials Flow: Used for machine-to-machine (M2M) communication.
Service A talks to Service B using a Client ID and Secret. No user is involved.

What is OpenID Connect (OIDC)?#

OAuth 2.0 is strictly for authorization (access). It doesn't tell the Client who the user is or when they logged in. This is where OIDC comes in.
OIDC is a thin identity layer on top of OAuth 2.0.
OAuth provides an Access Token (The key to the door).
OIDC provides an ID Token (The ID card saying who you are).
If you use OIDC, you get both tokens in the response. The ID Token is usually a JWT (JSON Web Token) containing user profile data (email, name, picture).

The Flow in Action (Auth Code)#

1.
User clicks "Login": The app redirects the browser to the Authorization Sever.
2.
User Authenticates: The user enters credentials on the Authorization Server's page.
3.
Consent: The user approves the app's request ("Access your contacts?").
4.
Code Exchange: The Server redirects back to the App with a one-time code.
5.
Token Request: The App sends the Coe + Client Secret (or PKCE verifier) to the Auth Server.
6.
Response: The Auth Server validates the code and returns:
access_token: To call the API.
id_token: To identify the user.
refresh_token: To get new access tokens when the old one expires.

Key Takeaways#

OAuth 2.0 handles Access: Use it to let App A access App B's resources.
OIDC handles Identity: Use it to log users in and get their profile info.
Never handle passwords: With these protocols, your app never sees the user's password, reducing security risk.
Next Step: These protocols rely heavily on a specific token format. You see it everywhere: ey.... Let's learn about JSON Web Tokens (JWT).
Modified atΒ 2025-12-29 04:30:23
Previous
Authentication vs Authorization
Next
JSON Web Tokens (JWT)
Built with