What is the difference between OAuth and OpenID Connect?

OAuth handles authorization (granting access to resources). OpenID Connect (OIDC) is built on top of OAuth and adds authentication (verifying user identity). OIDC introduces an ID token that contains user profile information.

What is PKCE and why is it important?

PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks. It adds a code verifier/challenge pair to the Authorization Code flow, making it safe for public clients like SPAs and mobile apps where client secrets cannot be kept confidential.

OAuth Explained

The authorization framework behind "Login with Google" and secure API access delegation.

OAuth

OAuth (Open Authorization) is an authorization framework that allows third-party applications to access a user's resources on another service without exposing their credentials. It enables "Login with Google/GitHub/Facebook" flows and API access delegation.

Explanation

Imagine you want a third-party app to read your Google Calendar events. Without OAuth, you would have to give that app your Google username and password — a massive security risk. OAuth solves this by introducing an authorization flow: you are redirected to Google, log in there, grant specific permissions (scopes) to the third-party app, and Google issues an access token that the app uses to access only the permitted resources. OAuth 2.0 is the current standard and defines several "grant types" for different scenarios. The Authorization Code flow (with PKCE) is the most secure and is recommended for web and mobile applications. The Client Credentials flow is used for server-to-server communication where no user is involved. The Implicit flow (now deprecated) was used for single-page apps but has been replaced by Authorization Code with PKCE. OAuth handles authorization (what you can access), not authentication (who you are). OpenID Connect (OIDC) is a layer built on top of OAuth 2.0 that adds authentication by introducing an ID token containing user identity claims. Most "Login with Google" implementations use OIDC rather than raw OAuth.

Bookuvai Implementation

Bookuvai integrates OAuth 2.0 with PKCE for all social login flows and third-party API integrations. Our standard authentication module supports Google, GitHub, Apple, and Microsoft identity providers out of the box. For projects that need API-to-API authorization, we implement the Client Credentials flow with scoped access tokens. All OAuth configuration is handled through environment variables with encrypted secret storage.

Key Facts

OAuth 2.0 with PKCE is the current recommended flow for web and mobile apps
Separates authorization (access) from authentication (identity)
OpenID Connect adds identity verification on top of OAuth 2.0

Related Terms

Frequently Asked Questions

What is the difference between OAuth and OpenID Connect?: OAuth handles authorization (granting access to resources). OpenID Connect (OIDC) is built on top of OAuth and adds authentication (verifying user identity). OIDC introduces an ID token that contains user profile information.
What is PKCE and why is it important?: PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks. It adds a code verifier/challenge pair to the Authorization Code flow, making it safe for public clients like SPAs and mobile apps where client secrets cannot be kept confidential.