In my earlier post on OAuth 2.0, we looked at how OAuth framework is meant to be used for delegated access. The framework is meant to provide a universally standard process by which client applications can gain access to a protected resource with a pre-defined authorization scope. The client application can access the resource without gaining access to user’s identity. The resource owner (user) authenticates to resource server which then results in an authorization grant to be issued to the client application. The authorization grant is used by the client application to get an access token which is then used for accessing the protected resource. The user profile is not shared with the client application. The access token used in OAuth 2 is an opaque token and can only be used for delegated access.
Why OpenID Connect?
OAuth framework was never meant to be used for authentication use cases. Allowing access to your files on Google Drive when using a photo printing client application is an example of providing delegated access using OAuth. When the photo printing website wants to sign up a new user, it can go so by using the federated identity provides like Google and Facebook. Federated identify allows linking of user’s digital identify across multiple security domains. Instead of creating a new set of credentials with photo printing website, the user can simply use federated identify to authenticate with Google and then let the photo printing website trust Google for user identity required for user sign up. The photo printing website can also get user profile information from Google that can used for authenticated user session. Next time when user wants to login into photo printing website, the user can simply authenticate with Google to provide and share it’s identity with photo printing website. OpenID Connect is an extension to OAuth 2.0 to provide authentication in addition to authorization.
How OpenID Connect Works?
OpenID connect works quite similar to OAuth where the client application is granted access to resources without having the user share any credentials with the client application. OpenID Connect adds user authentication capability to OAuth by providing a new JWT token known as ‘Identity Token’. The identity token returned by Authorization Server contains information about the user in the form of user claims. OIDC also defines a protected ‘UserInfo’ endpoint, which can be used for fetching additional user profile information like email, phone, address etc.
The diagram above for OIDC is quite similar OAuth 2.0, except for the additional identity token which is returned by the OIDC compatible authorization server. The identify token (JWT) can be validated by client application to make sure that the claims have not been tempered. Additional user information can be fetched from resource server in order to verify user’s identity.
OpenID connect adds below features to OAuth 2.0 to allow for sharing user identity thereby standardizing the authentication mechanism using federated identity
- Identity Token in the form of JWT with user claims
- UserInfo endpoint to get additional user information
- Scopes for fetching additional user profile