OAuth 2 and OpenID Connect (OIDC)

(October 2023)

OpenID Connect (OIDC) is an authentication protocol that has been widely adopted by identity providers. OIDC may be used for single sign-on across applications using JSON Web Tokens (JWT) to avoid sharing user secrets with services. OIDC uses and extends OAuth.

OAuth is an authorization protocol for access delegation. OAuth is commonly used as a way for internet users to grant websites or applications access to their information on other websites but without disclosing their passwords.

OIDC extends OAuth2 with an added scope value (openid), an extra JSON web token that encapsulates the identity claims, and a focus on authentication rather than authorization. OIDC talks about flow in place of OAuth’s grant.

An OIDC provider does authentication, user consent, and token issuance. A service or application asking about the user’s identity is called the relaying party.

The OpenID Provider sets the authentication methods available to users (e.g., username/password, one-time code, biometrics). The OIDC specs don’t specify user authentication mechanics.

OAuth defines four roles: