The OAuth 2.0 Authorization Protocol
"OAuth" itself isn't spelled out in most places. Wikipedia says its "Open Authorization". But who knows. I can't tell you how many times this question comes up. But if you ask me, it doesn't matter and that is a good thing. Let's dive into the question of authentication...
Does OAuth authenticate users?
No. The answer here is clearly no. Not only does OAuth not authenticate users, but it doesn't have anything to say about user authentication. But hang on, see the next question...
Does OAuth accomplish user authentication?
Yes. The answer here is yes, but the method is indirect. If you read my post on OAuth flows, you will know that OAuth has an "authorization" step that requires users to authorize clients to act on their behalf. For OAuth, authentication then is a logical conclusion of authorization.
In order to authorize a client to act on behalf of a user, the user must be known.For a user to be known, the user must be authenticated.Therefore, if a user has authorized a client, they must have authenticated.
This logic flow is at the heart of OAuth's power. Because authentication of participants is a necessary requirement of authorization, OAuth doesn't have to say how authentication is accomplished. Because of this, OAuth can be integrated with all sorts of authentication systems and protocols such as: LDAP, OpenID, SAML, WS-Trust, WebSSO, etc - placing OAuth at the crossroads of identity.
Ok, so does OAuth authorize?
Now you're jumping ahead. That's the subject for the next blog post. Stay tuned.