OAuth 2.0
Authentication process of verifying an identity. We confirm they’re who they say they are. (username & pwd).
Authorization process of verifying what someone is allowed to do. (Permissions and access control).
Past solutions
From worst one to best one and the problems they originate:
Credential Sharing
The worst one. An App is not able to differentiate between real user access and programmatical access.
Permissions are typically too broad. It also the ability to access more content than it should.
Cookie
We could redirect the user off to the API where they could enter their credentials and get a cookie. This allows an app to access the API.
Dangerous because CSRF attacks. We’ve authorised the whole browser and not the app.