OpenID Connect

What Is The OpenID Connect?

• OpenID Connect (OIDC) is an open authentication protocol that works on top of the OAuth 2.0 framework. Targeted toward consumers, OIDC allows individuals to use single sign-on (SSO) to access relying party sites using OpenID Providers (OPs), such as an email provider or social network, to authenticate their identities. It provides the application or service with information about the user, the context of their authentication, and access to their profile information.
• While OAuth 2.0 provides authorization via an access token containing scopes, OpenID Connect provides authentication by introducing a new ID token contains a new set of scopes and claims specifically for identity.

• The OpenID Connect flow looks the same as OAuth. The only differences are, in the initial request, a specific scope of OpenID is used and in the final exchange the client receives both Access Token and an ID Token.
• The Access Token will be used to handle the Authorization and the ID token will be used to handle the user details of the authentication details.
• So to make the authorization server know that you want to use the OAuth2 or OpenID Connect, we just need to put the value openId into the scope then the authorization server will know and return the Access Token and ID Token for us.

Why Is OpenID Connect Important?

• Identity is the key to any application. At the core of modern authorization is OAuth2, but the OAuth2 lacks an authentication component. Implementing OpenID Connect on top of OAuth2 completes an IAM (Identity And Access Management) strategy.
• As more and more applications need to connect with each other and more identities are being populated on the internet, the demand to share these identities is also increased. With OpenID Connect, applications can share the identities easily and standard way.

• OpenID Connect add below details to OAuth2:

  • OIDC standardizes the scopes to OpenID, profile, email and address
  • ID Token using JWT standard
  • OIDC exposes the standardized /userinfo endpoint.

• So in the OpenID Connect, with the Access Token and ID Token, we can identify the identity details of our end user and also can enforce the access management with a combination of these identity and access management.

• Currently inside the industry authorization server like Okta, Keycloak they are all implemented based on this IAM concept and they follow the OpenID Connect and the OAuth2 framework.

See Also

• OAUTH2
• OAUTH2 Flow

References

• pingidentity
• Spring Security Zero To Master