TL;DR
OAuth is the technology behind "Log in with Google" buttons. It lets users grant your app access to their data on another service without sharing their password. You never see their Google password. Google confirms who they are and gives you a token. OAuth 2.0 is the current standard. OpenID Connect (OIDC) adds identity information on top of OAuth for authentication.
The Simple Explanation
When you click "Log in with Google":
- Your app redirects to Google
- You log in to Google (if not already)
- Google asks "Allow this app to access your profile?"
- You click Allow
- Google redirects back with a code
- Your app exchanges the code for user info
At no point does your app see the user's Google password.
Why Use OAuth?
- Better security: You don't handle or store passwords
- Better UX: Users don't create another password to forget
- Trust: Users trust Google/GitHub more than a new app
- Less work: Google handles 2FA, password resets, security
OAuth vs OpenID Connect
OAuth alone is for authorization (access to resources). It doesn't actually tell you who the user is. OpenID Connect adds identity verification on top of OAuth. When you use "Login with Google", you're using OIDC.
Common OAuth Providers
- GitHub
- Apple
- Microsoft
- Discord
- Twitter/X
Implementing OAuth
Use a library or service rather than building OAuth flows yourself:
- NextAuth.js: For Next.js apps
- Clerk: Full auth solution
- Supabase Auth: Built into Supabase
- Auth0: Enterprise-focused
What is the difference between OAuth and OpenID Connect?
OAuth is for authorization (granting access to resources). OpenID Connect (OIDC) is built on OAuth and adds authentication (verifying identity). When you log in with Google, you are using OpenID Connect. OAuth alone does not tell you who the user is, just what they can access.
Is OAuth more secure than username and password?
OAuth can be more secure because users do not share their password with your app. The identity provider (Google, GitHub) handles authentication. They have better security infrastructure. However, you must implement OAuth correctly and validate tokens properly for it to be secure.
What happens if the OAuth provider goes down?
If Google or GitHub is down, users cannot log in using those providers. This is why many apps offer multiple login options or allow linking accounts after initial signup. Consider offering email/password as a backup or multiple OAuth providers.