Reputation: 597
OpenID is just scope of OAuth?
I read a lot of answers about OpenID vs OAuth 2.0. Many bla bla like - OpenId about authentication, OAuth about Authorization. But what I see is - With OAuth to get username and email, you had to ask user for basic information via scopes, get access token and with access token went to provider and get username and email. With OpenID you just need to get access token with ID token and now you don't need make another request to provider to get username and email, you just have to decrypt JWT ID token and that's all. This is all difference what I see. Please smart guys, tell if I'm wrong or not. I checked Google and GitHub about theirs OpenID implementations: Google just added scope "openid", so nothing changed from OAuth 2.0 code, you just add new scope and in return from Google you will get not just Access Token but also ID Token. GitHub, maybe I'm blind but don't see any info about OpenID. All guidelines about GitHub OpenID are the same as OAuth. I didn't test it by myself, but I assume you just need to do OAuth without scopes and you will get Token ID. Microsoft also looks like did the same as Google, with openid scope.
Upvotes: 0
Views: 2519
Answers (1)
Reputation: 19901
According to the OpenID Connect specification:
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol.
The specification defines the core OpenID Connect functionality: Authentication built on top of OAuth 2.0 and using Claims to communicate information about the End-User.
The primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated is the ID Token data structure.
We use JSON Web Tokens
So, OIDC is just a thin layer on top of OAuth. The purpose of the ID token is typically to create the local user session, after that the ID token typically has no purpose. It typically has a short lifetime, like 5 minutes.
the openid scope is a required scope when you use OIDC, and it basically gives you the sub claim back. That's it.
I just wrote this guide for developers: OpenID Connect for Developers. Hopefully, it can answer your questions.
Upvotes: 1
Related Questions
- How is OAuth 2 different from OAuth 1?
- How can I verify a Google authentication API access token?
- What is the OAuth 2.0 Bearer Token exactly?
- What's the difference between OpenID and OAuth?
- What is the purpose of the implicit grant authorization type in OAuth 2?
- OAuth 2.0: Benefits and use cases — why?
- Why do access tokens expire?
- Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?
- Securly Storing OpenID identifiers and OAuth tokens
- SSO with CAS or OAuth?