There are lot of articles, why OAuth is not for authentication. I don't understand, where the authentication happens (if incorrectly used). Can someone explain on simple trusted web app and SPA usage of OAuth the wrong way?
If I will call from the app /users/1/detail and will pass proper Bearer header along, how is the OAuth used to verify the user is really id 1? Does it require usage of JWT to be able to decode the access token and compare with id contained inside?
OAuth 2.0 is NOT an Authentication protocol. (But you could build one on top of OAuth 2.0 as is done with OpenID Connect)
OAuth is a an open standard, scalable, RESTful Protocol for Delegation of Authorization to server resources using HTTP.
Let's say there is a protocol like OAuth (let's call it MyAuth), but used for authentication of your app's frontend with your app's backend.
To understand why OAuth and MyAuth are different, first know that they both have refresh tokens that are long lived and access tokens that are short lived. Also, if party1 needs access to party2, party2 will have to generate these tokens and party1 would have to store both of these tokens somehow to maintain access.
About OAuth:
We have three parties (there are other types too): App1's backend, App1's frontend and App2's backend.
Here the aim is to give access to App1's backend and frontend, access to App2's backend, on behalf of a user.
Here only, App1's backend and App2's backend can be trusted as secure parties.
About MyAuth:
We have two parties: App1's backend, App1's frontend.
Here the aim is to give App1's frontend, access to App1's backend, on behalf of a user (this is the case for all apps, after a user logs into the app).
Here only App1's backend is a trusted party.
Since refresh tokens are long lived, getting unauthorised access to them can be a serious problem. So, in OAuth flow, it is designed so that App2 backend's refresh tokens are only stored on App1's backend (which is a trusted party). And only App2 backend's access token (which is short lived) is sent to App1's frontend. In MyAuth, we have no trusted party to store App1 backend's refresh token. This means, that you are storing the refresh token in a place where it can be stolen relatively easily - which is a security problem. So while OAuth doesn't have to solve this problem as such, MyAuth does.
To know more about session security and the various types of flows, please see: https://hackernoon.com/all-you-need-to-know-about-user-session-security-ee5245e6bdad
