_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

The Complete Guide to OAuth/OIDC

07. 09. 2021 1 min read intermediate

The Complete Guide to OAuth/OIDC

OAuth 2.0 and OIDC are the foundations of modern authentication. Understand them once, use them everywhere.

OAuth 2.0 vs OIDC

  • OAuth 2.0 — authorization (access to resources)
  • OIDC — authentication (user identity) = a layer on top of OAuth 2.0

Tokens

  • Access Token — short-lived, for API access
  • Refresh Token — long-lived, for renewing the access token
  • ID Token — JWT with user info (OIDC)
  1. User clicks “Login with Google”
  2. Redirect to Google auth
  3. User signs in and grants consent
  4. Google redirects back with an authorization code
  5. Backend exchanges the code for tokens
  6. Backend returns a session/JWT

PKCE (for SPA and mobile)

Authorization Code Flow + Proof Key for Code Exchange. Protects against code interception attacks. Required for public clients.

JWT

// Header { “alg”: “RS256”, “typ”: “JWT” } // Payload { “sub”: “user123”, “email”: “[email protected]”, “exp”: 1707900000 } // Signature RSASHA256(header + payload, private_key)

Best Practices

  • Keep access tokens short-lived (5-15 minutes)
  • Rotate refresh tokens
  • Always use PKCE for SPA/mobile
  • Validate tokens on the server
  • Do not store tokens in localStorage (XSS risk)
  • Use httpOnly cookies for web

Recommendations

Do not implement OAuth/OIDC yourself. Use Auth0, Clerk, Keycloak or next-auth.

oauthoidcsecurityautentizace
Share:

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

More know-how

OpenID Connect — Authentication on Top of OAuth 2.0

How OIDC extends OAuth with identity. ID Token, UserInfo, discovery.

OAuth 2.0 — A Complete Guide to Flows

Authorization Code, PKCE, Client Credentials. When to use which.

OAuth 2.0 and JWT — modern authentication for microservices

How to implement OAuth 2.0 and JSON Web Tokens to secure REST APIs and microservices.