The standard for "log in with X". Flows, tokens, PKCE — and where home-grown auth gets dangerous.
Category · Security & Compliance
The standard behind "Log in with X".
OAuth 2.0 is an authorisation protocol: it governs how one application may access another on behalf of a user without knowing their password. OpenID Connect (OIDC) builds on it and adds authentication — the question of who the user actually is.
At the centre are flows that exchange tokens. For web and mobile apps, the Authorization Code Flow with PKCE is the standard today, because it works even without a securely stored client secret.
When we rely on it.
Wherever users sign in via existing identities or a product needs to access third-party systems — Microsoft Entra, Google, GitHub. Instead of managing passwords ourselves, we lean on established identity providers.
That noticeably reduces attack surface and effort: session management, MFA and password resets sit with the provider, who runs that as a core business.
Where home-built auth gets dangerous.
OAuth is subtle. Misconfigured redirect URIs, missing PKCE or sloppily validated tokens open real holes. Home-built auth usually fails not at the login but at the edge cases — token renewal, logout, revocation.
Our rule: use proven libraries and providers, don't reinvent the protocol.
