Backend
OAuth2
A delegation framework that lets an app act on a user's behalf without their password, exchanging an authorization code for access and refresh tokens (Authorization Code with PKCE is the modern flow). It powers 'Sign in with Google' and third-party API access. It handles authorization, not identity — that is what OIDC layers on top.
Purpose
OAuth 2.0 is a delegation framework: it lets an application act on a user's behalf against another service without handling their password, by exchanging a short-lived authorization code for access and refresh tokens. It exists so users can grant scoped, revocable access to third parties.
When to Use It
'Sign in with Google/GitHub', letting an app read a user's calendar or repositories, and any case where you must call an API as the user. With OIDC layered on top it also becomes your login and SSO mechanism.
For first-party login where you control both sides, a plain session can be simpler than a full OAuth exchange.
Trade-offs
It is powerful but intricate — several flows, token lifetimes and scope design to get right. Misused flows (the old implicit flow, tokens in the URL) have caused real breaches. It handles authorization; identity requires the OIDC extension.
Implementation
Use the Authorization Code flow with PKCE, the current best practice for web and mobile. Keep client secrets server-side, request the narrowest scopes, store tokens securely, and rotate refresh tokens. Validate the state parameter to prevent CSRF on the callback.