OAuth and OpenID Connect

Prefactor implements OAuth and OpenID Connect - industry-standard protocols that provide secure, interoperable authentication. Understanding these standards helps you integrate with Prefactor.

What is OAuth?

OAuth is an authorization framework that allows applications to access resources on behalf of users without sharing passwords. While it’s primarily designed for authorization, it forms the foundation for authentication protocols.

Key OAuth concepts

Authorization Server

The server that issues access tokens after successfully authenticating the user. This is Prefactor.

Resource Server

The Resource Server hosts the protected resources (data/APIs) that the client wants to access on behalf of the user. This is what you’ll build.

Client

Your application that wants to access user data or perform actions on behalf of the user.

What is OpenID Connect?

OpenID Connect (OIDC) is an authentication layer built on top of OAuth. While OAuth focuses on authorization, OIDC adds authentication capabilities, allowing clients to verify the user’s identity.

Key OpenID Connect concepts

ID Token

A JWT (JSON Web Token) that contains information about the authenticated user, including their identity and authentication details.

UserInfo Endpoint

An API endpoint that provides additional user information beyond what’s included in the ID token.

Claims

Pieces of information about the user, such as their name, email, or profile picture.

How OAuth and OIDC work together

The combination of OAuth and OIDC provides both authentication and authorization:

Authentication: OIDC verifies who the user is
Authorization: OAuth determines what the user is allowed to do
Token issuance: The system provides both ID tokens (for identity) and access tokens (for authorization)

Tokens explained

ID Tokens

Contain information about the authenticated user
Include claims like user ID, email, and name
Signed to prevent tampering
Used to establish the user’s identity

Access Tokens

Represent authorization to access specific resources
Short-lived for security
Can be refreshed using refresh tokens
Contain scopes that define what actions are permitted

Refresh Tokens

Long-lived tokens used to obtain new access tokens
Stored securely by the client
Allow applications to have long-running sessions without the user re-authenticating

Scopes and claims

Scopes

Scopes are opaque strings (e.g. “docs:write”) that can be used for a variety of purposes, but often represent permissions. When starting an OAuth flow, a set of scopes can be requested. During the flow the user can agree to grant those scopes.

Generally these are specific to the application; the exception is OpenID Connect where some pre-defined scopes are used to request particular information about the user — “claims”.

Claims

Claims are pieces of information about the user:

sub (subject) - Unique user identifier
email - User’s email address
name - User’s full name
picture - URL to user’s profile picture

These claims are encoded in the ID token or returned from the UserInfo endpoint.

Why these standards matter

Using OAuth and OIDC provides several benefits:

Interoperability

Works with a wide range of libraries and frameworks
Compatible with many third-party services
Follows established industry patterns

Security

Built-in protection against common attacks
Supports fine-grained permissions through scopes
An audited design which has been strengthened over multiple iterations

Developer experience

Well-documented standards with extensive tooling
Mature ecosystem of libraries and SDKs
Clear patterns for implementation

Authorization flexibility

Supports multiple authorization patterns
Can implement complex permission models
Enables fine-grained access control
Provides audit trails for access decisions

Understanding these standards and authorization patterns helps you build secure applications that properly control access to resources while providing a good user experience.