https://www.jianshu.com/p/18aedcaf47f2
CAS single sign-on, client resources are here, that party is not in the CAS server.
The user provides a user name and password to the CAS server, the CAS as the client does not know about it.
Just give ST a client, then the client is not sure this is the user ST fake or really effective, so to take this server ST to ask about this to me is the user ST valid or invalid ST, to be effective I can make the user access.
oauth2 certification, resources are oauth2 service provider that party, the client wanted to obtain a user's resources.
So in the safest mode, after the user authorization server and can not be directly returned token, by redirecting to the client, because the token can be intercepted by hackers, hackers and if this token, that user's resources will exposed to the hacker.
So smart server sends an authentication code to the client (through redirection), the client in the background, by way of https, use this code, and a string of other client and server in advance to discuss good password to get the token and refresh token, this process is very safe.
If a hacker intercepted the code, he did not discuss in advance the string of good password, he also could not get the token. In this way we can guarantee the requested resource oauth2 it is the user's consent, the client is approved, you can rest assured that the resources sent to the client.
So cas login and oauth2 biggest difference is that in the process, by ST or code to authenticate the time or need to discuss in advance good password.