OAuth (now usually OAuth 2.0, RFC 6749) is a token-based authorization framework that lets a user grant a third-party application limited access to their resources on another service without sharing their password. The user authenticates directly with the resource server, the resource server issues a scoped, time-limited access token, and the third-party app presents that token on every subsequent API call. OAuth is strictly an authorization protocol; OpenID Connect (OIDC) is the layer that turns it into a proper authentication protocol with identity claims.

In a self-hosting context

For self-hosters, OAuth is the protocol that lets your self-hosted apps trust a self-hosted IdP. Keycloak and Authentik both ship as OAuth 2.0 / OIDC providers, and most self-hostable SaaS replacements — Mattermost, Nextcloud, Gitea — accept OAuth tokens from either of them. Replacing managed-IdP Auth0 with a self-hosted Keycloak instance is a common first SSO migration; see SSO (Single Sign-On) for the framing and JWT (JSON Web Token) for the token format.