OAuth 2.1 for User Authentication

OAuth 2.1 for User Authentication

OAuth 2.1 in AuthSec is designed specifically for human user authentication, while keeping a clean separation from machine and agent identities managed through SPIFFE and SPIRE.

AuthSec implements OAuth 2.1 with Authorization Code + PKCE only, removing legacy and insecure flows. This ensures every user login results in a verifiable, user-bound identity, without introducing long-lived secrets or implicit trust.

How User Authentication Works

  1. A user authenticates via a supported Identity Provider (OIDC-compliant).

  2. The application completes the Authorization Code + PKCE flow.

  3. AuthSec validates the user identity and policy constraints.

  4. A short-lived, user-bound access token is issued.

  5. The token is used only for user-initiated actions.

Tokens are intentionally short-lived and narrowly scoped, reducing blast radius and preventing privilege creep.

OAuth 2.1 vs SPIFFE Identities (Important Distinction)

AuthSec intentionally separates who a human is from what a workload is:

Identity Type

Used For

Technology

User Identity

Human users, dashboards, admin access

OAuth 2.1 + OIDC

Workload Identity

Services, agents, MCP servers

SPIFFE + SPIRE

OAuth tokens must never be reused for service-to-service or agent authentication.
All non-human communication is handled via SPIFFE-issued identities.

Bridging User Identity to Workloads (Securely)

When a user-triggered action requires backend or agent execution:

  • User OAuth 2.1 tokens terminate at the API boundary

  • Backend services authenticate using SPIFFE workload identities

  • AuthSec enforces explicit trust boundaries

  • No user tokens are forwarded to agents or services

This prevents token leakage and eliminates confused-deputy problems.

Security Guarantees

  • No implicit or password flows

  • No long-lived refresh tokens for public clients

  • PKCE enforced by default

  • Token audience and scope validation

  • Clear identity boundary between users and machines

OAuth 2.1 is used only where humans are involved.

When to Use OAuth 2.1

Use OAuth 2.1 if:

  • A human user is signing in

  • You are building dashboards, admin panels, or frontends

  • User consent and identity are required

Do not use OAuth 2.1 for:

  • Agent-to-agent communication

  • MCP servers

  • Background jobs or autonomous workloads

Those are secured with SPIFFE and SPIRE.

AuthSec’s Zero-Trust Identity Model

OAuth 2.1 provides entry-point authentication for users.
SPIFFE provides continuous identity for workloads.

Together, they enable:

  • Zero-trust architectures

  • Minimal blast radius

  • Clear audit trails

  • Strong separation of concerns


Workload Identity for MCP Servers & AI Agents ›

Logo

Company

Blog

About us

Product

Privacy Policy

Terms & Conditions

© 2025 AuthSec. All rights reserved