OAuth 2 and OpenID Connect (OIDC)

(October 2023)

OpenID Connect (OIDC) is an authentication protocol that has been widely adopted by identity providers. OIDC may be used for single sign-on across applications using JSON Web Tokens (JWT) to avoid sharing user secrets with services. OIDC uses and extends OAuth.

OAuth is an authorization protocol for access delegation. OAuth is commonly used as a way for internet users to grant websites or applications access to their information on other websites but without disclosing their passwords.

OIDC extends OAuth2 with an added scope value (openid), an extra JSON web token that encapsulates the identity claims, and a focus on authentication rather than authorization. OIDC talks about flow in place of OAuth’s grant.

An OIDC provider does authentication, user consent, and token issuance. A service or application asking about the user’s identity is called the relaying party.

The OpenID Provider sets the authentication methods available to users (e.g., username/password, one-time code, biometrics). The OIDC specs don’t specify user authentication mechanics.

OAuth defines four roles:

• Resource owner: a user who authorizes an application to access their identity. The application’s access to the user’s identity is limited to the scope of authorization granted (e.g. read or write)
• Client: the application that wants to access a user’s account. The user must authorize the client to access the user’s account. Clients must register a callback URL with the identity provider in advance.
• Resource server: hosts user accounts.
• Authorization server: verifies identity of users, then issues access tokens.

References

• https://en.wikipedia.org/wiki/OAuth
• https://auth0.com/intro-to-iam/what-is-openid-connect-oidc
• https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
• https://developers.login.gov/oidc/