what is the difference between OAuth-2.0 and OIDC?

OAuth 2.0 is primarily an authorization framework that allows third-party applications to obtain limited access to user resources without exposing user credentials. It focuses on granting access to resources.

OpenID Connect (OIDC), on the other hand, is an authentication layer built on top of OAuth 2.0. It adds an identity layer to OAuth 2.0, enabling clients to verify the identity of the end-user based on the authentication performed by an authorization server.

Key Differences:

  1. Purpose:

    • OAuth 2.0: Authorization (granting access to resources).

    • OIDC: Authentication (verifying user identity) and authorization.

  2. Tokens:

    • OAuth 2.0: Issues access tokens and refresh tokens.

    • OIDC: Issues ID tokens (for user identity), access tokens, and refresh tokens.

  3. Use Cases:

    • OAuth 2.0: Used when an application needs to access user data without needing the user’s password.

    • OIDC: Used for user authentication, such as logging into web applications via third-party providers (e.g., “Login with Google”).

OAuth 2.0 Flow

OpenID Connect (OIDC) Flow

Examples:

OAuth 2.0 Example:

Imagine you have a photo editing app that wants to access a user’s Google Drive to save edited photos. The app uses OAuth 2.0 to request access to the user’s Google Drive. The user grants permission, and the app receives an access token to interact with the user’s Google Drive without needing the user’s Google credentials.

OIDC Example:

Consider a web application that allows users to log in using their Google account. The application uses OIDC to authenticate the user. When the user logs in with Google, OIDC verifies the user’s identity and provides an ID token containing user information (e.g., email, name). This token allows the application to authenticate the user and create a session.

Use Cases:

OAuth 2.0 Use Cases:

  1. API Access: Allowing third-party applications to access user data stored on a server (e.g., accessing Google Drive files).

  2. Resource Sharing: Enabling applications to share user resources without exposing credentials (e.g., sharing contacts between apps).

OIDC Use Cases:

  1. Single Sign-On (SSO): Allowing users to log in to multiple applications using a single set of credentials (e.g., logging into various services with a Google account).

  2. Identity Federation: Verifying user identity across different domains and services (e.g., using a central identity provider for multiple applications).

By combining OAuth 2.0’s robust authorization capabilities with OIDC’s standardized authentication mechanisms, you get a comprehensive solution for modern identity and access management needs.

Implementing OAuth 2.0 and OpenID Connect (OIDC) in your application involves several steps. Here’s a high-level overview of how you can do it:

Implementing OAuth 2.0

  1. Register Your Application:

    • Register your application with the OAuth 2.0 provider (e.g., Google, Facebook).

    • Obtain the Client ID and Client Secret.

  2. Set Up Authorization Endpoint:

    • Redirect users to the OAuth provider’s authorization endpoint.

    • Include parameters like client_id, redirect_uri, response_type, and scope.

  3. Handle Authorization Response:

    • The OAuth provider will redirect back to your application with an authorization code.

    • Capture this code from the URL.

  4. Exchange Authorization Code for Tokens:

    • Send a POST request to the OAuth provider’s token endpoint.

    • Include the authorization code, client_id, client_secret, and redirect_uri.

    • Receive an access token (and optionally a refresh token).

  5. Access Protected Resources:

    • Use the access token to make authenticated requests to the resource server.

Example in Python:

Python

import requests

# Step 1: Redirect user to authorization endpoint
authorization_url = "https://oauth2provider.com/auth"
params = {
    "client_id": "your_client_id",
    "redirect_uri": "https://yourapp.com/callback",
    "response_type": "code",
    "scope": "profile email"
}
response = requests.get(authorization_url, params=params)
print(response.url)  # Redirect user to this URL

# Step 2: Handle the callback and exchange code for tokens
code = "authorization_code_received"
token_url = "https://oauth2provider.com/token"
data = {
    "code": code,
    "client_id": "your_client_id",
    "client_secret": "your_client_secret",
    "redirect_uri": "https://yourapp.com/callback",
    "grant_type": "authorization_code"
}
token_response = requests.post(token_url, data=data)
tokens = token_response.json()
access_token = tokens['access_token']

# Step 3: Access protected resources
resource_url = "https://api.oauth2provider.com/userinfo"
headers = {"Authorization": f"Bearer {access_token}"}
resource_response = requests.get(resource_url, headers=headers)
user_info = resource_response.json()
print(user_info)

Implementing OpenID Connect (OIDC)

  1. Register Your Application:

    • Register your application with the OIDC provider.

    • Obtain the Client ID and Client Secret.

  2. Set Up Authorization Endpoint:

    • Redirect users to the OIDC provider’s authorization endpoint.

    • Include parameters like client_id, redirect_uri, response_type, scope, and nonce.

  3. Handle Authorization Response:

    • The OIDC provider will redirect back to your application with an authorization code.

    • Capture this code from the URL.

  4. Exchange Authorization Code for Tokens:

    • Send a POST request to the OIDC provider’s token endpoint.

    • Include the authorization code, client_id, client_secret, and redirect_uri.

    • Receive an ID token, access token, and optionally a refresh token.

  5. Validate ID Token:

    • Decode and validate the ID token to ensure it is from the expected issuer and has not been tampered with.

  6. Access Protected Resources:

    • Use the access token to make authenticated requests to the resource server.

Example in JavaScript (Node.js):

JavaScript

const axios = require('axios');
const jwt = require('jsonwebtoken');

// Step 1: Redirect user to authorization endpoint
const authorizationUrl = 'https://oidcprovider.com/auth';
const params = new URLSearchParams({
  client_id: 'your_client_id',
  redirect_uri: 'https://yourapp.com/callback',
  response_type: 'code',
  scope: 'openid profile email',
  nonce: 'random_string'
});
console.log(`${authorizationUrl}?${params.toString()}`);  // Redirect user to this URL

// Step 2: Handle the callback and exchange code for tokens
const code = 'authorization_code_received';
const tokenUrl = 'https://oidcprovider.com/token';
const tokenData = {
  code: code,
  client_id: 'your_client_id',
  client_secret: 'your_client_secret',
  redirect_uri: 'https://yourapp.com/callback',
  grant_type: 'authorization_code'
};
axios.post(tokenUrl, tokenData)
  .then(response => {
    const tokens = response.data;
    const idToken = tokens.id_token;
    const accessToken = tokens.access_token;

    // Step 3: Validate ID token
    const decodedIdToken = jwt.decode(idToken, { complete: true });
    console.log(decodedIdToken);

    // Step 4: Access protected resources
    const resourceUrl = 'https://api.oidcprovider.com/userinfo';
    axios.get(resourceUrl, { headers: { Authorization: `Bearer ${accessToken}` } })
      .then(resourceResponse => {
        console.log(resourceResponse.data);
      });
  });

Use Cases

  • OAuth 2.0: Ideal for scenarios where you need to access user resources without handling user credentials directly, such as accessing a user’s Google Drive files.

  • OIDC: Perfect for authentication scenarios, such as implementing Single Sign-On (SSO) where you need to verify user identity and obtain user profile information.

PreviousDifferent between sp and idp initiated flow in saml?NextUnderstanding PKCE in OAuth-2.0?

Last updated