This site reflects work in progress.

OAuth is an authorisation protocol, which means that it deals with matters like "may user X perform action Y?". It is sometimes (ab)used for authentication, which deals with "is this user X?" for which it was not designed.

What we sometimes see, is that services use OAuth or OAuth2 as a cross-realm identity provisioning mechanism. This is even more besides the point.

The purpose of OAuth is for any number of services to relay users to an authorisation server to obtain a locally acceptable credential that grants access to a desired resource. This is strictly intended for use with HTTP.

Still, the domains of authentication and authorisation are not as strictly separated in reality; they overlap and mingle and often employ similar technical implementations. Especially when we consider an identity as a set of pieces of information, some of which may be unique and others which may be descriptive; when we wonder which pieces of information may be submitted to a remote realm, we are doing things that are reminiscent of authorisation, but with the purposes of authentication. In light of that, OpenID Connect builds an authentication framework atop OAuth.