OAuth 2.0 authorizes third-party apps to access user resources without sharing credentials. Flow: user grants permission → authorization server issues access token → app uses token to access resources.
OAuth = authorization (what can this app do?). OpenID Connect adds authentication on top (who is this user?). Common attack: authorization code interception, token theft, open redirect. Validate redirect_uri strictly.