CODEWITHSUNDEEP
oauth-2.0oauthopenid-connectopenidopenid-provider
htnc13
htnc13

Reputation: 1

OAuth2.0 without OIDC (Plain OAuth2.0)

As far as I understand, applications that we can login with our different accounts use OpenID Connect(A profile of OAuth2.0).
OAuth is for Authorization and OIDC is for authentication(It has ID Token-User Info Endpoint).

Upvotes: 0

Views: 628

Answers (1)

Gary Archer
Gary Archer

Reputation: 29208

I have always found the jargon around this unhelpful so I understand your confusion. Here is a plain English summary:

OAuth 2.0

Before OIDC apps used OAuth 2.0 to get tokens, and this involved optional user consent. The process of getting tokens was termed 'delegation'.

In practical terms though all real world OAuth 2.0 providers also included authentication in order for their system to be secure. How authentication was done is not defined in OAuth specifications.

OAuth is primarily about protecting data, where scopes and claims are the mechanisms. These links provide further info:

OIDC

This just adds some clearer definition around how authentication messages before and after authentication should work:

  • A client simply includes an openid scope to use OpenID Connect
  • A client may force a login during a redirect via a prompt=login parameter
  • A client may request an authentication method via an acr_values parameter
  • The client receives an ID token (assertion) once authentication is complete, can digitally verify it if required, then use the information in it (eg a user name)

OIDC still does not define how the actual authentication works though.

Use them together

Pretty much all OAuth secured apps (and libraries) these days use both together, so that the authentication and delegation both use standards based solutions. It gives you the best application features and design patterns for doing the security well.

Upvotes: 1

Related Questions