OAuth 2.0 and OpenID Connect (OIDC)

OAuth 2.0 and OpenID Connect (OIDC)

🔐 OAuth 2.0 and OpenID Connect (OIDC)

They’re closely related, but they serve different purposes:

ProtocolPurposeSummary
OAuth 2.0AuthorizationLets an app access your data on another service without your password
OpenID Connect (OIDC)Authentication (Login)Built on top of OAuth 2.0 — confirms who you are

🧩 OAuth 2.0 — Delegated Authorization

💡 Definition

OAuth 2.0 is an open standard that allows users to grant a third-party app limited access to their resources on another service — without sharing their password.

🎯 Purpose

“Let this app do something on my behalf.”

🔄 Example: OAuth 2.0 Flow (Real-world)

You’re using a fitness app that wants to read your Google Fit data.

  1. The app redirects you to Google’s authorization page.
  2. You log into Google and see a consent screen:
    “Allow this app to view your Google Fit data?”
  3. If you agree, Google issues the app an Access Token.
  4. The app uses that token to fetch your fitness data — without ever seeing your Google password.

⚙️ OAuth 2.0 Key Roles

RoleDescriptionExample
Resource OwnerThe user who owns the dataYou
ClientThe app requesting accessFitness app
Authorization ServerIssues tokens after user consentGoogle’s OAuth server
Resource ServerAPI that holds the dataGoogle Fit API

🔑 OAuth 2.0 Tokens

Token TypeDescriptionExample
Access TokenGrants access to a resourceUsed by app to call Google API
Refresh TokenUsed to get a new access token without user loginKeeps session alive

🔄 OAuth 2.0 Grant Types (Flows)

FlowUsed ForDescription
Authorization Code FlowServer-side web appsMost secure, uses separate steps to exchange code for token
Implicit FlowBrowser apps (legacy)Now discouraged due to security risks
Client Credentials FlowMachine-to-machineNo user, uses app credentials only
Password FlowLegacy appsUser credentials sent directly (deprecated)

🧭 OpenID Connect (OIDC) — Authentication Layer

💡 Definition

OpenID Connect (OIDC) is a simple identity layer built on top of OAuth 2.0 that allows clients to verify the user’s identity and obtain basic profile information.

While OAuth 2.0 says:

“App A is allowed to access user’s data.”

OIDC adds:

“And the user’s name is Alice, with email alice@example.com.”

🧠 How OIDC Works (Simplified)

  1. The app (client) redirects you to the identity provider (like Google).
  2. You log in once.
  3. The IdP sends back:
    • An ID Token (JWT) → proves your identity.
    • An Access Token → allows the app to access APIs.
  4. The app uses the ID Token to authenticate you.

🧾 Example of an ID Token (JWT)

{
  "iss": "https://accounts.google.com",
  "sub": "1122334455",
  "email": "alice@gmail.com",
  "name": "Alice Johnson",
  "iat": 1739050000,
  "exp": 1739053600
}

This tells the app:

The user is Alice, authenticated by Google, and the token expires in one hour.

⚙️ OIDC Endpoints

EndpointPurpose
/authorizeUser login and consent
/tokenExchange authorization code for tokens
/userinfoGet user’s basic profile info
/.well-known/openid-configurationMetadata about the IdP (used by apps to integrate easily)

⚖️ OAuth 2.0 vs OpenID Connect (OIDC)

FeatureOAuth 2.0OpenID Connect (OIDC)
PurposeAuthorization (access to resources)Authentication (login & identity)
Token TypeAccess TokenAccess Token + ID Token
Data FormatUsually JSONJSON Web Tokens (JWT)
Used ForAPIs, app integrationsSingle Sign-On, user login
ExampleA photo editor accessing your Google Drive photosLogging into Reddit with your Google account

🌍 Real-World Examples

ProviderProtocol UsedExample
GoogleOAuth 2.0 + OIDC“Sign in with Google”
MicrosoftOAuth 2.0 + OIDCOffice 365 / Azure AD logins
GitHubOAuth 2.0Third-party apps accessing your repos
FacebookOAuth 2.0 + OIDC“Login with Facebook”

Summary

ConceptOAuth 2.0OpenID Connect (OIDC)
Primary GoalAuthorizationAuthentication
DefinesHow apps access user dataHow apps verify user identity
TokenAccess TokenID Token (JWT)
Common UseAPIs, integrationsSSO, user login
ExampleAllow an app to post to Twitter for youLog in to Twitter with Google

Leave a Reply