Reputation: 4683
Difference between OpenID connect and oAuth2 from an oAuth client perspective
Okay, I understand that OpenID Connect is about authentication and oAuth2.0 is about authorization and OpenID Connect is built on top of oAuth2.0. I also understand the difference between these two terms.
I am creating a web app which is also an oAuth2.0 client. A user first needs to sign in to Google in order to use my app. After I receive access_token I query google api and get all the neccessary info about a user. Google uses OpenID protocol.
AFAIK Facebook uses just oAuth2.0. But the flow is basically the same as it is with Google. So what is the difference here?
Upvotes: 4
Views: 940
Answers (1)
Reputation: 53958
The difference is that OpenID Connect standardizes the so-called userinfo endpoint and the claims that are returned from that endpoint. Facebook uses a proprietary endpoint and claims set, therefore Facebook does not conform to OpenID Connect even though both provide a similar login mechanism. Since they both are built on top of OAuth 2.0, Facebook is an OAuth 2.0 protocol with a custom extension and OpenID Connect is an OAuth 2.0 with a standardized extension (or: profile).
Upvotes: 4
Related Questions
- How is OAuth 2 different from OAuth 1?
- OpenId connect and OAuth 2.0 password grant - what is the difference?
- Access Token from OIDC vs OAuth2.0
- OAuth2.0 and OpenID Connect Confusing
- What’s the difference between application permissions and oauth2 authorization?
- What OpenID Connect adds to OAuth 2.0 (why is OAuth 2.0 not sufficient for authentication?)
- OAuth 2.0 and OpenID Connect
- Problems understanding how OAuth 2.0 and OpenID Connect work together
- Google Authentication : OAuth2.0 Vs OpenID Connect
- Difference between Google "OpenID Connect" and "sign-in with Google"?