Reputation: 850
Open ID Connect Flow and OAuth Grant
I can't understand difference between OAuth authorization_code grant and OIDC authorization_code flow. For me it seems that this grant and flow are the same. If that's true, why use OIDC? If not, then when to use OIDC and OAuth? I have read a lot of blogs and questions on various forums, but I still can't understand it.
Upvotes: 1
Views: 143
Answers (1)
Reputation: 15070
You are right, the terminology between OAuth and OpenID Connect are sometimes confusing.
The flow is the same, OpenID Connect is only an extra layer on top of OAuth.
When you use OAuth, you receive an access_token, which grants you access to a resource server. The access_token proves authorization. So the resource server has no idea who you are, only that you may access resources.
When you use OpenID Connect, and provide the openid scope when requesting the authorization code, you receive an extra token, the id_token.
This id_token is a signed JWT token which holds the identity of the user. Optionally you can add more scopes for more claims in your id_token. The id_token proves authentication.
Also, if you support OpenID Connect, but the client does not provide the openid scope, you don't receive an id_token but only the OAuth tokens.
So the flows are identical, only difference is the id_token.
Upvotes: 2
Related Questions
- Clarification on id_token vs access_token
- OpenId connect and OAuth 2.0 password grant - what is the difference?
- OAuth2.0 and OpenID Connect Confusing
- How does OpenID Connect work?
- OAuth 2.0 auth code grant flow vs client credential grant flow
- Open Identity and OAuth
- How do OpenId Connect's id token feed into a subsequent OAuth2 flow for authorizing access on another resource?
- In OAuth 2.0, what is the difference between a grant and a flow?
- OpenID Connect and Server Side Authorization Code Flow
- Problems understanding how OAuth 2.0 and OpenID Connect work together