If I my app uses Open ID Connect does it also have to support OAuth?

Question

As I understand it, if you want your app to sign in via OAuth then you have to write separate code for each provider (Google, Twitter, etc).

And with OpenID you don't - it handles the providers for you and you just handle connecting to OpenID.

Now that OpenID has become OpenID Connect (which is a layer running on top of OAuth 2.0) if I use it would I still need to write separate code (since it relies on OAuth), or would I just need to write a single bit of code for the OpenID part and it would handle all the underlying OAuth providers?

Answer 1

Conceptually, OpenID is a SSO (authentication) protocol while OAuth is an authorization (access resource on behalf of the user) protocol. Practically, both seem close as the user needs to login. OAuth supports several different flows and OpenID is built on auto-discovery (the user identifier references the identity provider). OpenID Connect is built on top on OAuth with the auto-discovery idea of OpenID (specific url).

For these three protocols, you don't really need to write separate different code for each provider, you can have some common component with customizations due to the different configuration (server url) or attributes retrieval configuration. For OAuth where things are a little blurry, implementations may have more substantial differences.

Taken from my experience of the pac4j security library: https://github.com/pac4j/pac4j