OAuth2 Authentication allows users to log into your Drupal site authenticating against a remote identity provider (IDP) via OAuth2.

That is, if a user's credentials can be used to retrieve a valid access token, he/she will be logged into the site with those credentials and the token will be added to his/her session. If the user doesn't exist yet, it will be created.

In doing this, we're making the assumption that resource requesters are actually resource owners. Generally, one shouldn't make that assumption as OAuth2 is an authorization mechanism, not an authentication mechanism.

If you found this module looking for a standard way to have users log in via OAuth2, then you should probably go with OpenID Connect instead. It provides a proper identity layer on top of OAuth2. Think of it like the evolution of SAML. This module is meant for those that don't have access to an OpenID Connect server, do have access to an IDP that speaks OAuth2, and can trust the environment in which all of it operates.

If you haven't considered the security implications of using this module, and you don't control the environment in which it's running, then you shouldn't be using it. For example, you probably don't want to do this sort of thing on a mobile environment as it can't be trusted to the same extent as a Drupal site behind a corporate firewall.

If you made it this far, and are still considering using the module, then make sure you've read and understood the following articles.

It also wouldn't hurt to study the official OAuth 2.0 Threat Model and Security Considerations.



  • When an existing local user logs in, the module will attempt to get an access token for him/her. On success, the token will be added to the user's session. On failure, the user will still be logged in, but will not get a token. Whenever a request to get a token is made, the results are reported in the log.
  • Once you've got this set up, you'll have to ensure that the Web-services client module you're using supports the OAuth2 protocol (i.e. token access to resources). If you're already using one that doesn't, you'll have to add that support. Otherwise, go with one that supports this already.

Similar Modules

OAuth2 Login
OAuth2 Login redirects users to another Drupal site for authentication, and then sends them back logged in once they're authenticated. This module doesn't do any redirection; everything is done behind the scenes. Users logging in won't even know that they're authenticating against another system. They simply log in using the normal Drupal login process, but get an access token on top of that (if granted). Users that don't exist locally will be created during the login process.
Supporting organizations: 
Technical architecture and development
Provided funding

Project information