how would authentication be done in OAuth2 without OIDC?

Question

I know there is lots of material on this point out there but I still dont quite get it.

I know that OAuth2 is not for authentication and that you need OIDC on top to have authentication.

But still don't quite understand why.

If I look a the implicit flow, one of the steps is that the user authenticates to the authorization server and an access token is then issued.

This is authentication, isn't it?

So why do we still need OIDC and the ID token? Is it because the access token itself is not enough and the JWT makes sure the user can be authenticated later on by the backend services?

And how would you do authentication if you only had OAuth2 and no OIDC?

Answer 1

Disclosure: I work for Ping Identity.

I wrote a blog on why OpenID Connect is useful on top of OAuth 2.0, and I think it would help out here.

https://www.pingidentity.com/en/resources/blog/post/oidc-adds-authentication.html

Basically, the OAuth 2.0 framework provides a way for the client to ask the authorization server to go and get authorization from the resource owner.

ie, the client says to the authorization server, "I need to access a protected resource owned by John, can you go ask John to authorize this access." The authorization server can then do it's thing and come back with an access token to the client to access the protected resource.

However, if the client asks, "How do I know it was actually John that provided authorization?" the OAuth 2.0 framework doesn't give a way to answer this.

OpenID Connect provides that extra ID token, in addition to the access token, that the client can check to see if it's John.