Reputation: 41
Why can't I use OAuth for authentication?
When using OAuth, the ressource owner needs to enter its credentials.
Each time that ressource owner access my application and if they're not connected to the third party authorization server, they will always have to enter their credentials.
Why can't I consider that as an authentication for my application? Why people are throwing me rocks with "OpenID Connect" written on it?
Upvotes: 1
Views: 391
Answers (2)
Reputation: 21
oAuth (open Authorization) is a protocol which is designed to enable the delegated authorisation flow between a resource server and identity server. Identity server is an application which contains the information about user. A resource server is the application which user wants to access and that application is configured with the said identity server. Identity server upon getting user consent for the said application generates an access token and not the id token. Access token contains all authorisation specific data and additionally might contains some information which you might be considering as authentication data. Relying on delegated authorisation response for authentication purpose can create problem in future if identity providers opt to use different format (usable only to resource server) and skips authentication specific data.
Upvotes: 1
Reputation: 4467
In some cases people do use OAuth2.0 access tokens for authentication. e.g. if the access token is a non-encrypted value type token (e.g. JWT) then it's very tempting for a client application to take the authentication information out of the access token.
The access token however is not meant to be used by the client, other than to pass on to a resource API the user has delegated access to.
The client may know how to get a user id out of a token now, but there's no guarantee that the token format won't change in the future, or switch to being encrypted. This would break the client, as it's taken a dependency on something not intended for it.
Access tokens are designed for resource servers
- the format, security and content of the tokens is agreed between the resource server and authorisation server.
Id tokens are designed for clients (relying parties) i.e. your application.
- this is why people are throwing OpenId Connect at you. It's a fixed format token which the client can depend on. Also OpenId Connect offers useful things like session management.
Upvotes: 2
Related Questions
- How poorly have I implemented OAuth/OpenId?
- OAuth2.0 and OpenID Connect Confusing
- OIDC OAuth 2.0 Authentication and Authorization
- Open Identity and OAuth
- OAuth Unsuccessful Response
- OAuth2 not for authentication
- OAuth2 Login (Not Authorization)
- OAuth 2.0 and OpenID Connect
- Problems understanding how OAuth 2.0 and OpenID Connect work together
- openid connect for drupal tutorial