{"id":11260,"date":"2021-06-22T00:00:43","date_gmt":"2021-06-22T07:00:43","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/?p=11260"},"modified":"2025-06-13T20:08:49","modified_gmt":"2025-06-14T03:08:49","slug":"oauth-2-oidc-fundamentals-authentication-authorization","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/oauth-2-oidc-fundamentals-authentication-authorization\/","title":{"rendered":"OAuth 2.0 & OIDC Fundamentals for Authentication & Authorization [Part 1 of 3]"},"content":{"rendered":"

Developers and architects<\/strong> simply can’t build modern applications without running into issues of authorization and authentication. <\/p>\n

OAuth 2.0<\/a>\u00a0is an industry standard for \u201cdelegated authorization\u201d which is the ability to provide an application or client access to data or features offered by another app or service. OAuth 2.0 focuses on authorization and is not prescriptive about authentication.<\/span>\u00a0OpenID Connect (OIDC)<\/a> adds a standards-based authentication layer on top of OAuth 2.0.<\/p>\n

To put this in context, Couchbase Sync Gateway supports various forms of client authentication<\/a>. Clients<\/em> might be Couchbase Lite clients that sync data with the Sync Gateway over the Internet using a websocket-based replication protocol<\/a>, or they could be web frontend or mobile apps that are accessing the Sync Gateway through the public REST endpoint<\/a>. One of the more popular Couchbase Sync Gateway client authentication mechanisms is OIDC.<\/p>\n

In this post, we will cover the fundamentals of OAuth 2.0 and OIDC for authentication and authorization. I will discuss two common flows, namely the Implicit Flow<\/a> and the Authorization Code Flow<\/a>. A basic understanding of the flows should hopefully provide you with sufficient background for understanding how to use OIDC-based authentication within the context of Sync Gateway client authentication. More on that in a future blog post, so stay tuned!<\/p>\n

In order to understand OIDC, we first need to understand OAuth 2.0. That\u2019s because, as an authentication framework, OIDC is built on top of OAuth 2.0.<\/p>\n

An OAuth 2.0 Primer<\/h2>\n

 <\/p>\n

OAuth 2.0<\/a> is an industry standard for delegated authorization, and there are a number of OAuth providers<\/a> on the market.<\/p>\n

For example, consider the “Login with Facebook” button that powers a number of web and mobile apps. This is implemented using OAuth 2.0.<\/p>\n

Here\u2019s a simplified<\/em> view of what goes on behind the scenes. I am describing below what is referred to as the Authorization Code Flow<\/a>. There is an alternative “Implicit Flow” as well which is more prevalent when used in the context of OIDC.<\/p>\n

Prerequisites<\/h3>\n

 <\/p>\n

First, the app\/client must be registered with the Authorization Server. The registration process results in the generation of a client_id<\/code> and a client_secret<\/code> which must then be configured on the app\/client requesting authentication.<\/p>\n

\"OAuth2<\/a><\/p>\n