Merge pull request #203 from dickhardt/OIDC-reference

point implementers to OIDC in intro #151
oauth-wg · Jan 9, 2025 · 426ce07 · 426ce07
2 parents 20ee216 + 2a3c237
commit 426ce07
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/draft-ietf-oauth-v2-1.md b/draft-ietf-oauth-v2-1.md
@@ -262,7 +262,11 @@ needs to evaluate the policies, and only needs to validate the access token.
 This simplification applies when the application is acting on behalf of a resource
 owner, or on behalf of itself.
 
-OAuth is an authorization protocol, and is not an authentication protocol. The
+OAuth is an authorization protocol, not an authentication protocol, as OAuth does not define the necessary components to achieve user authentication.
+An authentication protocol is necessary if the goal is to authenticate users. An example is OpenID Connect {{OpenID}}, which builds on OAuth to provide the security
+characteristics and necessary components required of an authentication protocol.
+
+The
 access token represents the authorization granted to the client. It is a common
 practice for the client to present the access token to a proprietary API which
 returns a user identifier for the resource owner, and then using the result of