Skip to main content

When to use OAuth2

OAuth2 is a popular authorization and consent protocol that has been widely adopted by developers to enable third-party applications to access user data.

Good to know

If you are looking for a system that implements registration, login, password reset, social sign in, profile management, 2fa, and more, check out Ory Identities first!

However, OAuth2 is often misunderstood as a Login solution when, in fact, it's an authorization protocol that allows users to grant consent to third-party applications to access their data. In this article, we will clear up the misconceptions surrounding OAuth2 and provide insights on when it's the best authentication solution for your project. By the end of this article, you'll have a better understanding of OAuth2 and how it differs from a Login solution, such as Ory Identities.

Whether to use OAuth2 and OpenID Connect depends on the use case. At Ory, we have worked with many software companies and have seen many use cases where OAuth2 and OpenID Connect made sense (or not). If your project involves one of the following, then you'll likely need OAuth2 and OpenID Connect:

  • If you already rely on OAuth2 and OpenID Connect because you use a product like Auth0 or Keycloak, then you should continue using these protocols to prevent excessive refactoring costs.
  • If you want to enable other companies and developers to access the data of your users with their consent, then OAuth2 and OpenID Connect are essential. OAuth2 enables users to grant consent to third-party applications to access their data, providing a secure way to authenticate user requests.
  • If you need to solve token-based machine-to-machine authorization, then OAuth2 and OpenID Connect are essential. OAuth2 provides a secure and scalable way to authenticate machine-to-machine requests.
  • If you have a large variety of client applications on IoT devices like smart TVs, then OAuth2 and OpenID Connect can be helpful.

There are, of course, more use cases where OAuth2 and OpenID Connect make sense.

However, if your project involves one of the following, then you probably don't need OAuth2:

  • If you need login, registration, profile settings, account verification, and account recovery.
  • If you want to add social sign-in ("Sign in with Google") to your app or website.
  • If you are building a new mobile app or single-page app backed by an API, then using a traditional "Login" solution.

In conclusion, whether to use OAuth2 and OpenID Connect depends on the use case. If your project involves enabling third-party applications to access user data, machine-to-machine authorization, or a large variety of client applications on IoT devices, then you'll likely need OAuth2 and OpenID Connect.

Note: An in-depth blog post on this topic is also available at "Do you need OAuth2?". For a more in-depth understanding of when to use OAuth2 and OpenID Connect, as well as more examples of use cases, we recommend checking out our blog post.