What is OpenID Connect?

• OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol (used for authentication and profile creation)
• OpenID Connect is the superior protocol: it extends and supersedes OAuth2
• OpenID Connect (OIDC) is an authentication protocol, based on the OAuth 2.0
  • It uses simple JSON Web Tokens (JWT), which you can obtain using flows conforming to the OAuth 2.0 specifications
  • While OAuth 2.0 is about resource access and sharing, OIDC is all about user authentication. Its purpose is to give you one login for multiple sites
  • OpenID Connect is for Authentication & Single Sign On (SSO), while OAuth2 is for delegated authorization
• OpenID Connect is an extension to OAuth2
  • OAuth2 : acess token only
  • OpenID Connect: access token + identity (authentication) token
• Provide authentication (i.e. identity) on top of OAuth2
• Introduces:
  • JWT (JSON Web Token) standard token format
  • An ID token with private information identifying the user (not an access token, not
  • used for accessing resources)
  • Some standard scopes like openid, profile, email, etc..
  • Some standard endpoints like /login, /token and /userinfo
  • And other things like discovery, logout, etc…
• Still has all the OAuth2 Goodness
• Links:
  • dev-handy-sites#web-security
  • https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1
  • https://openid.net/specs/openid-connect-core-1_0.html#Claims
  • https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens

Notes:

• Even if the client application only requires authorization to access an API, we should use OIDC instead of plain OAuth2
• OIDC isn’t just for new or API-based applications

Problems with OAuth 2.0 for authentication

• No standard way to get the user’s information
• Every implementation is a little different
• No common set of scopes

What OpenID Connect adds

OpenID Connect adds the following on top of OAuth 2.0

• ID token
• /userinfo endpoint for getting more user information
• Standard set of scopes
• Standardized implementation

OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol, which allows clients to verify the identity of an end user based on the authentication performed by an authorization server or identity provider (IdP), as well as to obtain basic profile information about the end user in an interoperable and REST-like manner. OpenID Connect specifies a RESTful HTTP API, using JSON as a data format.

OAuth2 vs OpenID Connect

Use OAuth 2.0 for:

• Granting access to your API
• Getting access to user data in other systems (Authorization)

Use OpenID Connect for:

• Logging the user in
• Making your accounts available in other systems (Authentication)

Flow

Coutesy: https://andrewlock.net/an-introduction-to-openid-connect-in-asp-net-core/

Overview

OpenID Connect authorization code flow

Courtesy: that-2019-oauth-and-oidc by dogeared