# OAuth 2.0 and OpenID Connect (OIDC) ###### tags: `Security` `Authentication` `Authorization` `OIDC` ### OAuth 2.0 Oauth is a authorization protocol. The aim is getting an access token. Client requests an authorization with a callback, after that a code will be sent to the client via the front channel. After that, the client may get the access token via back channel. ### Front Channel, Back Channel Front channel communication is considered partially safe. Back channel communication is considered safer. Oauth incorporates both of those for their strengths, namely: user interaction and security. ### OpenID Connect Oauth by default doesn't support authentication. OIDC is an authentication layer on top of Oauth. It sends an id_token which contains user data. ### State Prevents CSRF Create a csrf token ``` { "afterAuth": "https://www.my-site.com/admin/", "proofKey": "Es.wszQ-wqc_N9fR7ppwjqOaD~jADC..." } ``` and put it in the cookie by b64 (httpOnly, Secure, SameSite=None). Then, hash it while sending to the server. Compare hashes. ### Nonce For replay attacks ### Reference OAuth 2.0 and OpenID Connect (in plain English) https://www.youtube.com/watch?v=996OiexHze0