OAuth is designed as an authorization framework, not an authentication protocol. So why is it commonly used for authentication, like in Google or LinkedIn sign-in? Is this an appropriate use, or is it a misuse without OpenID Connect (OIDC)?
OAuth 2.0 is primarily an authorization framework, designed to grant third-party applications limited access to a user's resources without exposing credentials. However, it's often misused for authentication purposes, as seen in some "Sign in with..." implementations. This misuse can lead to security vulnerabilities, as OAuth 2.0 doesn't inherently verify user identity. To properly authenticate users, OpenID Connect (OIDC) was developed as an identity layer on top of OAuth 2.0, providing mechanisms like ID tokens to securely confirm user identity. Therefore, using OAuth 2.0 alone for authentication is inappropriate; incorporating OIDC ensures both secure authentication and authorization.