An Introduction to OAuth 2.0 and OIDC
OAuth 2.0 is a standard which enables client applications access to protected resources hosted by another service on behalf of a user. If you have ever authorized an application to read your email, post to your favorite social media site, etc, you are already familiar with the use cases OAuth 2.0 solves. At a high level, OAuth 2.0 involves the provisioning of an access token which acts as proof that authorization has been granted.
OpenID Connect (OIDC) is a simple identity layer on top of OAuth 2.0. While OAuth 2.0 was focused on handling authorization, OIDC handles authentication. OIDC can be used by client applications that wish to delegate authentication to a 3rd party. It uses the same flows and concepts from OAuth 2.0 and adds a new token called the identity token. An identity token is a JSON Web Token (JWT) and is proof of authentication. Access tokens can also be JWTs, but they don’t have to be. This 3rd party is also responsible for safe handling of user credentials and enforcement of authentication policies such as password rotation and . They can also maintain their own authenticated session for users. So, if multiple applications wish to use the same 3rd party, the user does not have to necessarily authenticate multiple times. This is known as Single Sign-on (SSO).
There are 4 major participants. They are:
- Resource Owner - The entity that can grant access to protected resources. This is typically an end-user.
- Client Application - The entity requesting access to protected resources on behalf of another user. If the application is delegating authentication and therefore using OIDC, this is also known as the Relying Party (RP). If you’ve ever used a web application that says “Login with ABC”, it is likely using OIDC.
- Authorization/Authentication Server - The entity authenticating the resource owner, handling authorization, and providing tokens when necessary. In OIDC terms, this is known as the OpenID Provider (OP).
- Resource Server - The entity hosting protected resources.
You may be wondering, how does this actually work? There are multiple flows (also called grants) which are just ways to acquire tokens (access or ID) and each one requires a specific set of participants to execute the flow.
Here’s a typical flow: