Probably this introduction is good for some purposes but for me it is too informal and too far from (my) reality. I would say it is 90% identical to many other introductions to OAuth.<p>I have been trying to comprehend and formulate the main idea behind the usage of this technology, for example, as follows:<p><pre><code> OAuth allows us to use surrogates (like JWT) instead of the original credentials (like name and password) with the main benefits that once it is available, the original credentials are not needed anymore: neither by the client nor by the server
</code></pre>
Why it is the central idea? Because we do not consider where and how the tokens are obtained: you can get it by USB stick or maybe forge somehow artificially. It is important only that access to resources requires a special piece of data rather than (traditional) credentials. The main question for the client is whether the server will accept this token or not. For the server, the main question is whether it can trust this client and its tokens.We aslo abstract from what is inside this token and how the server decides what to do - these are considered details.<p>Do I miss something more important?