OAuth 2.0 & OIDC 1.0: Enhancing User Login and Authorization
OpenID Connect (OIDC) 1.0 is a protocol extension for OAuth 2.0 that introduces user login and authorization features atop the OAuth 2.0 framework. While OAuth primarily focuses on authorization, OpenID Connect specializes in user authentication and acquiring specific user data.
OIDC Terminology
User or End-User
The person that is using a registered client to access resources.
Identity Provider (IDP)
The system that grants access permissions, serving a similar role to the authorization server in OAuth 2.0 or being considered synonymous with it.
Relying Party
The software application seeking access to resources on the resource server, equivalent to the client in OAuth 2.0. These terms are sometimes used interchangeably across OIDC and OAuth.
ID Token
A security key similar to an access token, represented via JWT, and used for Single Sign-On (SSO). It contains a set of user claims.
What are the Claims in an ID Token?
iss (issuer) : The issuer identifier.
sub (subject) : A unique identifier for each user.
aud (audience) : The intended audience for the token.
exp (expiration time) : When the token expires.
Iat (Issued At) : When the token was issued.
nonce : A value that must match the one sent in the ID token request, sometimes used as a session key or for additional data in state management.
Features in OIDC Over OAuth
-New endpoints like UserInfo, an endpoint to fetch user data, and Discovery, for finding all configurations related to the identity provider.
-Form post for authorize request, adding to the mechanisms available in OAuth.
-ID token is added with access token, used to access user data and claims via the UserInfo endpoint.
-New scopes like “openid” for obtaining configurations and “profile” for accessing end-user information on the UserInfo endpoint.
-Dynamic Client Registration for registering new clients.
End-Points in OAuth and OpenID Connect
Authorize
Found in OAuth, used for client authorization.
Token
Present in OAuth, utilized for acquiring an access token.
UserInfo
Available in OpenID, employed for accessing user data.
Introspection
Exists in OpenID, used for validating ID tokens.
Discovery
For obtaining information specific to the OpenID provider.
OIDC and OAuth 2.0 collectively provide a robust framework for secure user authentication and authorization, enhancing the security and functionality of web and mobile applications by integrating user login capabilities with permission grants.
