<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en-GB">
	<id>https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=OAuth_2.0%2C_OpenID_Connect%2C_and_WebAuthn</id>
	<title>OAuth 2.0, OpenID Connect, and WebAuthn - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=OAuth_2.0%2C_OpenID_Connect%2C_and_WebAuthn"/>
	<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=OAuth_2.0,_OpenID_Connect,_and_WebAuthn&amp;action=history"/>
	<updated>2026-07-11T15:39:50Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.43.0</generator>
	<entry>
		<id>https://knowledgebase.pirho.net/index.php?title=OAuth_2.0,_OpenID_Connect,_and_WebAuthn&amp;diff=395&amp;oldid=prev</id>
		<title>Dex: Created page with &quot;= OAuth 2.0, OpenID Connect, and WebAuthn = == How Modern Authentication and Authorization Actually Fit Together ==  &#039;&#039;&#039;Summary:&#039;&#039;&#039;   OAuth 2.0, OpenID Connect (OIDC), and WebAuthn are often discussed together, but they solve fundamentally different problems. Confusion arises when they are treated as competing technologies rather than complementary layers. This article explains how OAuth 2.0 handles authorization, how OIDC adds identity and authentication semantics, and...&quot;</title>
		<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=OAuth_2.0,_OpenID_Connect,_and_WebAuthn&amp;diff=395&amp;oldid=prev"/>
		<updated>2026-04-20T05:34:24Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot;= OAuth 2.0, OpenID Connect, and WebAuthn = == How Modern Authentication and Authorization Actually Fit Together ==  &amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;   OAuth 2.0, OpenID Connect (OIDC), and WebAuthn are often discussed together, but they solve fundamentally different problems. Confusion arises when they are treated as competing technologies rather than complementary layers. This article explains how OAuth 2.0 handles authorization, how OIDC adds identity and authentication semantics, and...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;= OAuth 2.0, OpenID Connect, and WebAuthn =&lt;br /&gt;
== How Modern Authentication and Authorization Actually Fit Together ==&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  &lt;br /&gt;
OAuth 2.0, OpenID Connect (OIDC), and WebAuthn are often discussed together, but they solve fundamentally different problems. Confusion arises when they are treated as competing technologies rather than complementary layers. This article explains how OAuth 2.0 handles authorization, how OIDC adds identity and authentication semantics, and where FIDO2 / WebAuthn fits cleanly as a modern, phishing-resistant authentication method within that stack.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Modern systems rarely authenticate users directly. Instead, authentication, identity, and authorization are intentionally split across components:&lt;br /&gt;
&lt;br /&gt;
* Applications no longer want to handle passwords&lt;br /&gt;
* APIs need scoped access without user credentials&lt;br /&gt;
* Authentication strength needs to vary by context and risk&lt;br /&gt;
* Passwordless and phishing-resistant mechanisms are now practical&lt;br /&gt;
&lt;br /&gt;
OAuth 2.0, OIDC, and WebAuthn exist because no single mechanism solves all of these concerns cleanly.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== OAuth 2.0: Delegated Authorization ==&lt;br /&gt;
&lt;br /&gt;
OAuth 2.0 is &amp;#039;&amp;#039;&amp;#039;not&amp;#039;&amp;#039;&amp;#039; an authentication protocol. It is a framework for delegating access to resources.&lt;br /&gt;
&lt;br /&gt;
In simple terms:&lt;br /&gt;
&lt;br /&gt;
:&amp;#039;&amp;#039;“This application may do these specific things on my behalf.”&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
=== Core OAuth Concepts ===&lt;br /&gt;
&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Resource Owner&amp;#039;&amp;#039;&amp;#039; – the user&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Client&amp;#039;&amp;#039;&amp;#039; – the application requesting access&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Authorization Server&amp;#039;&amp;#039;&amp;#039; – issues tokens&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Resource Server&amp;#039;&amp;#039;&amp;#039; – the API being accessed&lt;br /&gt;
&lt;br /&gt;
OAuth introduces access tokens that are time-limited, scope-bound, and revocable.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== OpenID Connect: Adding Identity ==&lt;br /&gt;
&lt;br /&gt;
OpenID Connect (OIDC) is a thin identity layer built on OAuth 2.0.&lt;br /&gt;
&lt;br /&gt;
OAuth answers:&lt;br /&gt;
:&amp;#039;&amp;#039;“What is this client allowed to access?”&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
OIDC answers:&lt;br /&gt;
:&amp;#039;&amp;#039;“Who authenticated, how, and when?”&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
=== What OIDC Adds ===&lt;br /&gt;
&lt;br /&gt;
* ID Tokens (JWTs)&lt;br /&gt;
* Standard identity claims (sub, iss, aud, exp)&lt;br /&gt;
* Authentication semantics&lt;br /&gt;
* Profile and assurance signalling&lt;br /&gt;
&lt;br /&gt;
OIDC standardises login without redefining OAuth itself.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Authentication Remains Abstract ==&lt;br /&gt;
&lt;br /&gt;
Neither OAuth nor OIDC defines how authentication occurs.&lt;br /&gt;
&lt;br /&gt;
They do not mandate:&lt;br /&gt;
* Passwords&lt;br /&gt;
* OTPs&lt;br /&gt;
* Biometrics&lt;br /&gt;
* Hardware keys&lt;br /&gt;
&lt;br /&gt;
They only require that authentication has succeeded before tokens are issued.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== WebAuthn: Authentication, Not Identity ==&lt;br /&gt;
&lt;br /&gt;
WebAuthn is a cryptographic authentication mechanism providing:&lt;br /&gt;
&lt;br /&gt;
* Public-key authentication&lt;br /&gt;
* Origin binding&lt;br /&gt;
* Phishing resistance&lt;br /&gt;
* No shared secrets&lt;br /&gt;
&lt;br /&gt;
It does not provide identity federation, tokens, or scopes.&lt;br /&gt;
&lt;br /&gt;
WebAuthn replaces passwords and weak MFA factors within the authentication step.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Layered Architecture ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
[ Authentication Methods ]&lt;br /&gt;
    - Password&lt;br /&gt;
    - OTP&lt;br /&gt;
    - WebAuthn (FIDO2)&lt;br /&gt;
&lt;br /&gt;
[ Identity Layer ]&lt;br /&gt;
    - OpenID Connect&lt;br /&gt;
&lt;br /&gt;
[ Authorization Layer ]&lt;br /&gt;
    - OAuth 2.0&lt;br /&gt;
&lt;br /&gt;
[ Applications / APIs ]&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This separation allows authentication methods to evolve without breaking applications or APIs.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== WebAuthn Inside OAuth / OIDC ==&lt;br /&gt;
&lt;br /&gt;
In modern systems, WebAuthn appears as just another authentication method.&lt;br /&gt;
&lt;br /&gt;
Typical flow:&lt;br /&gt;
&lt;br /&gt;
# User initiates login&lt;br /&gt;
# WebAuthn challenge is performed&lt;br /&gt;
# Assertion is verified&lt;br /&gt;
# OIDC ID Token is issued&lt;br /&gt;
# OAuth access tokens are minted&lt;br /&gt;
&lt;br /&gt;
Applications remain unaware of the underlying authentication method.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Signalling Authentication Strength ==&lt;br /&gt;
&lt;br /&gt;
OIDC supports claims that describe authentication context:&lt;br /&gt;
&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;amr&amp;#039;&amp;#039;&amp;#039; – Authentication Methods Reference&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;acr&amp;#039;&amp;#039;&amp;#039; – Authentication Context Class Reference&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&amp;quot;amr&amp;quot;: [&amp;quot;fido&amp;quot;]&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This enables step-up authentication and policy-driven enforcement.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Why This Matters ==&lt;br /&gt;
&lt;br /&gt;
When authentication, identity, and authorization are properly separated:&lt;br /&gt;
&lt;br /&gt;
* Passwordless login becomes trivial&lt;br /&gt;
* Strong MFA can be enforced selectively&lt;br /&gt;
* APIs remain decoupled from identity mechanics&lt;br /&gt;
* Security improves without rewriting applications&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
OAuth 2.0, OpenID Connect, and WebAuthn are not competing technologies.&lt;br /&gt;
&lt;br /&gt;
They are deliberately orthogonal layers that, when combined correctly, produce systems that are safer, simpler, and easier to evolve.&lt;/div&gt;</summary>
		<author><name>Dex</name></author>
	</entry>
</feed>