OAuth 2.0 / OIDC — Delegated Authorization and Identity

OAuth 2.0 = framework for delegated authorization (can I access X?). OIDC = identity layer on top (who is this user?).

When to use

Third-party login (OAuth + OIDC)
Delegating access without sharing credentials
Service-to-service auth (Client Credentials)

Tradeoffs

JWT-based tokens can't be revoked before expiry without a blocklist
Implicit flow is deprecated; many tutorials still show it (security risk)

Go
Python

func fetchServiceToken(cfg OAuthConfig) (string, error) {
    data := url.Values{
        "grant_type":    {"client_credentials"},
        "client_id":     {cfg.ClientID},
        "client_secret": {cfg.ClientSecret},
        "scope":         {cfg.Scope},
    }
    resp, err := http.PostForm(cfg.TokenURL, data)
    if err != nil {
        return "", err
    }
    defer resp.Body.Close()
    var result struct {
        AccessToken string `json:"access_token"`
    }
    json.NewDecoder(resp.Body).Decode(&result)
    return result.AccessToken, nil
}

import httpx

def fetch_service_token(cfg: OAuthConfig) -> str:
    resp = httpx.post(
        cfg.token_url,
        data={
            "grant_type": "client_credentials",
            "client_id": cfg.client_id,
            "client_secret": cfg.client_secret,
            "scope": cfg.scope,
        },
    )
    resp.raise_for_status()
    return resp.json()["access_token"]

def call_downstream(token: str, url: str) -> dict:
    resp = httpx.get(url, headers={"Authorization": f"Bearer {token}"})
    resp.raise_for_status()
    return resp.json()

Gotcha: Never use Implicit flow. It exposes tokens in URL fragments, is deprecated in OAuth 2.1, and has been replaced by Authorization Code + PKCE for all browser/mobile clients.