Reputation: 4803
Do all OpenID Connect Providers implement uniformly?
One of the challenges with using OAuth 2.0 is that the variability in the spec means that each provider implements OAuth a little differently. If I want to write a consumer for OAuth I need to do some pretty specific coding for each provider I want to implement.
Would it be accurate to state that OpenID Connect is narrowly defined enough to avoid this trap? Should a single, generic OIC consumer library be able to connect to any certified OIC provider without custom code for each provider?
Thanks in advance!
[edit] - grammar
Upvotes: 0
Views: 61
Answers (1)
Reputation: 53928
When using OAuth 2.0 for user authentication you run in to the trap that you describe, also documented here: http://oauth.net/articles/authentication/, i.e. every provider has to implement its own extension to make OAuth 2.0 fit that use case because OAuth 2.0 was not designed for user authentication or Web SSO.
But when using the OpenID Connect profile of OAuth 2.0 you will indeed be able to use a generic OpenID Connect Client/RP against arbitrary Providers for authenticating users, assuming both follow the spec. As an example of that, see: https://github.com/pingidentity/mod_auth_openidc
Upvotes: 2
Related Questions
- Using Firebase auth as provider in custom backend
- What's the difference between OpenID and OAuth?
- OpenID session management with ORY Hydra
- IdentityServer4 vs AspNet.Security.OpenIdConnect.Server vs OpenIddict
- Which well-known OpenID providers is a new site expected to support?
- WWW-Authenticate schemes for OpenID Connect
- OpenID Connect - how to handle single logout
- Authentication and Authorization using OAuth2/OpenID Connect
- Communication between Relying Parties Google's OpenID Connect