OAuth is an open standard authorization protocol that provides secure access to an application. OAuth provides secure access delegation. OAuth doesn't share password data but uses the authorization token to establish the identity between service providers and consumers. Users of an application provide access to their information without giving login credentials. While OAuth is mainly for authorization, many organizations have started adding their own mechanisms for authentication. OpenID Connect defines the authentication standard on top of OAuth authorization.

Large technology companies such as Amazon, Facebook, Google, and Twitter allow the user to share information in their account with third-party applications. For example, you can log in to a new photo app using your Facebook login and authorize the new app to access only your Facebook photo information. The following diagram illustrates an OAuth access delegation flow:

As shown in the preceding diagram, the authentication flow follows these steps:

1. You want a photo app to get your profile photo from Facebook.
2. The photo app requests authorization to access Facebook profile photos.
3. The authorization server (which is your Facebook account in this case) creates and displays a consent screen to you.
4. You provide your consent to the request for the photo app to access only your Facebook profile photos.
5. After getting your approval, the authorization Facebook server sends an authorization code back to the requesting photo app.
6. The photo app then requests an access token from the authorization server (Facebook account) using the authorization code.
7. The authorization server identifies the photo app and checks the validity of the authentication code.
8. If the access token is validated, the server issues an access token to the photo app.
9. The photo app can now access resources such as Facebook profile photos using the access token.

OAuth 2.0, which is faster than OAuth 1.0 and more comfortable to implement, is now most commonly used. JSON Web Token (JWT) is a simple and accessible token format that can be used with OAuth and is popular with OpenID. JWT tokens have a JSON structure that has information about expiration time, issuer, subject, and so on. It is more robust than Simple Web Token (SWT) and simpler than SAML 2.0.

In this section, you learned about the most common user management tools and services. However, there are various other protocols and services available for user authentication and authorization. Implementation of the protocols mentioned previously can be complicated, and there is a large amount of packaged software available that makes the job easier. 

Amazon Cognito is a user access management service provided by AWS that includes standard-based authorization such as SAML 2.0, OpenID Connect, and OAuth 2.0, along with an enterprise user directory that provides the ability to connect with AD. Okta and Ping Identity provide enterprise user management and the ability to communicate with various service provider tools in one place.

Once your application is exposed to the internet, there are always various kinds of attacks bound to happen. Let's learn about some most common attacks, and how to set up the first layer of defense for web-layer protection.