Hacker News new | past | comments | ask | show | jobs | submit login

My understand is that OpenID Connect is build on top of OAuth2, sort of a specialization.



Correct. OAuth is for delegated authorization. OpenID Connect for authentication.


> OAuth is for delegated authorization.

Have you ever seen OAuth used alone? I'm looking for examples of this and they seem to be few and far between.


There are LOTS of them. Anything that allows you to link your Google/Facebook/etc. account to another system, so that system can perform actions on your Google/Facebook/etc. account on your behalf.

Examples: Slack (e.g., notify you of events on your calendar, create a GMeets meeting), services like cal.com, whatsapp (store backups on your Google Drive).


It's rare in my experience. We don't support OIDC, so technically it's standalone oauth. In reality there's of course a user identity in the mix used to authorize the resulting access tokens.

Even server to server calls, ie daemons, service principals, what have you, still rely on a client identity.

I think the closest to true agentless access I've seen widely used are SAS for Azure Storage and of course deploy keys in GitHub, which we're building off ramps for. Agentless authz just is not a good idea


What do you mean? What is an example of it not being used alone?


I mean it is usually paired with an id token, an identifier like an email address is provided, or the access token has a sub claim that is tied back to the user.

So it is not pure authorization, but both authentication and authorization.

Pure authorization would be like a car key, with no identity mixed in.


Canva's api uses oauth2 but not OIDC.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: