Updated: Sep 27, 2022
Our last article looked at Oauth 2.0, the foundation of OpenID Connect also referred to as OIDC. This article covers how OpenID Connect takes advantage of Oauth 2.0 and solves the identity issue
As explained in the previous article, Oauth 2.0 define mechanisms to obtain and use Access Tokens to access resources but does not define standard methods to provide identity information. We will see shortly how Oath 2.0 is extended for OpenID Connect. To summarize the Oauth, we have
Client Application, Authorization Server, Resource Owner, and Resource Server
Authorization and Token endpoints
Grant type Code, Implicit, username/password, client credentials
OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. To achieve this, a new scope variable has been introduced called openid, which tells the authorization server that it is OpenID connect request.Now it is time to introduce new terminology. OAuth 2.0 Authentication Servers implementing OpenID Connect are also called OpenID Providers (OPs). OAuth 2.0 Clients using OpenID Connect are also referred to as Relying Parties (RPs).
OpenID Connect is about user identity, so a new protected UserInfo endpoint was introduced to provide users’ claims to the relying party.
The Authorization Code Flow goes through the following steps.
Client prepares an Authentication Request containing the desired request parameters.
Client sends the request to the Authorization Server.
Authorization Server Authenticates the End-User.
Authorization Server obtains End-User Consent/Authorization.
Authorization Server sends the End-User back to the Client with an Authorization Code.
Client requests a response using the Authorization Code at the Token Endpoint.
Client receives a response that contains an ID Token and Access Token in the response body.
Client validates the ID token and retrieves the End-User’s Subject Identifier.
Verify that a scope parameter is present and contains the openid scope value. (If no OpenID scope value is present, the request may still be a valid OAuth 2.0 request but is not an OpenID Connect request.) for a comprehensive read, you can visit https://openid.net/specs/openid-connect-core-1_0.html.
OpenID is a widely used protocol for authentication and authorization. Due to its flexibility, various extensions are built on top of the protocol to fulfill many industries’ use cases. OpenID Connect is the most active organization, with participation from significant tech players and influencers. We will cover identity assurance using OpenID in the forthcoming article.