After doing some research i would answer myself.
OAuth 2.0 is fundamentally an authorization framework, designed to allow third-party applications to access a user's resources without exposing their credentials. However, it's often employed for authentication purposes, as seen with services like Google or LinkedIn sign-ins. This practice raises questions about its appropriateness and potential security implications, especially when OpenID Connect (OIDC) is not utilized.
Understanding OAuth 2.0's Role:
Authorization Focus: OAuth 2.0 enables applications to obtain limited access to a user's resources on another service. It doesn't inherently authenticate the user but grants tokens for resource access.
Authentication Misuse: Using OAuth 2.0 solely for authentication is considered a misuse. While it can facilitate user data access, it doesn't verify user identity, leading to potential security vulnerabilities.
Introduction of OpenID Connect (OIDC):
Authentication Layer: OIDC is an identity layer built atop OAuth 2.0, providing mechanisms to authenticate users and obtain their profile information in a standardized manner.
ID Tokens: OIDC introduces ID tokens, which contain claims about the authentication event and the user, ensuring proper user verification.
Security Implications of Misusing OAuth 2.0:
Impersonation Risks: Without OIDC, relying on OAuth 2.0 for authentication can expose applications to impersonation attacks, as access tokens don't confirm user identity.
Standardization Issues: OAuth 2.0 lacks standardized methods for authentication, leading to inconsistent implementations and potential security gaps.
Conclusion:
While OAuth 2.0 is designed for authorization, its combination with OpenID Connect enables secure and standardized authentication. Utilizing OAuth 2.0 alone for authentication is inappropriate and can introduce security vulnerabilities. Therefore, incorporating OIDC is essential for proper user authentication in applications.