To ensure the security of user information and allow third-party applications to access restricted resources, two mainstream technologies have emerged: OpenID Connect and OAuth. While these two are often discussed together, they fundamentally differ in their functional positioning and core objectives.
Specifically, OAuth is focused on building an authorization framework, its core purpose being to grant third-party applications permission to access specific resources, without directly involving the verification of the user's identity. In contrast, OpenID Connect is precisely positioned as an identity authentication service, filling the gap that OAuth has in the domain of identity recognition, and ensuring the authenticity and reliability of user identities.
In this blog, we will delve into the essence, operating mechanisms, typical application scenarios, and the subtle yet intimate relationship between OpenID Connect and OAuth.
What Is OpenID Connect?
OpenID Connect (OIDC) is an authentication protocol based on the OAuth 2.0 framework, which extends the functionality of OAuth by introducing the concept of an ID token. OIDC not only allows users to authorize third-party applications to access their resources, but also provides verification of user identity information, enabling secure access to multiple services using a single login credential.
Compared to OAuth 2.0, the core difference of OIDC is the addition of the authentication layer, while OAuth 2.0 primarily focuses on authorization, allowing users to control the access permissions of third-party applications to their resources, without involving the specific verification of user identity.
The OpenID Connect authentication process:
Access the application: When a user wants to use an application or service, if the application needs to verify the user's identity, the user will be directed to the identity authentication service provider, OpenID Connect provider (OP) for login.
User login: The user enters their username and password (or undergoes other authentication mechanisms supported by the OP) on the OP's login interface. Once the user successfully logs in, the OpenID Connect provider will confirm the user's identity.
Issuance of ID token: After confirming the user's identity, the OpenID Connect provider will generate a special token called an ID token. This token contains the user's identity information, such as the username, email address, and other key data, ensuring the digital representation and transmission of the user's identity.
Use of ID token: After obtaining the ID token, the user can present it to the application they previously wanted to access. The application will then activate the verification mechanism to check the token and confirm that it is issued by a trusted OpenID Connect provider and that it has not expired.
Access the application: Once the application has verified the validity of the ID token, it will allow the user to access the protected resources or services. In this way, the user does not need to register and log in to each application separately but can use the ID token issued by the OpenID Connect provider.
Security assurance: OpenID Connect uses advanced JSON Web Token (JWT) technology to generate and verify the tokens, effectively mitigating the risks of data tampering and theft. In addition, OpenID Connect also flexibly supports multiple authentication and authorization modes, such as the authorization code mode, implicit mode, and hybrid mode, to adapt to the security requirements of different scenarios.
What Is OAuth?
In short, OAuth is a protocol that allows third-party applications to access user-stored sensitive resources (such as photo libraries, contact lists, etc.) on another service, without directly accessing the user's login credentials (username and password). This mechanism is more inclined towards "authorization" rather than "authentication".
For example, if you want to use your Google account to log in to a news app, the app can use OAuth to request your public information (such as avatar, and nickname) from your Google account, without needing you to directly provide the Google account username and password to the news app.
The OAuth authorization process:
User requests authorization: Suppose you are using a social application that wants to access information from your account on another social network. However, this information is protected, so authorization is required.
Redirect to the authorization server: The third-party application will redirect your request to a page on an authorization server, which will typically ask you to log in to the service you want to authorize.
User login and authorization: On the authorization server's page, you need to log in with your account. After logging in, the page will ask you whether you agree to let the third-party application access your information.
Authorization server issues access token: If you agree, the authorization server will generate a special "pass" called an access token. This token is like a temporary entry pass that allows the third-party application to access your information for a period of time.
The third-party application uses the access token: Once the third-party application has obtained the access token, it can use this token to request your information for a period of time. Each time it makes a request, it needs to present this token to prove that it has been authorized by you.
The authorization server verifies the token and returns the resource: When the third-party application presents the access token to the authorization server that stores your information, the authorization server will check whether the token is valid. If it is valid, it will allow the third-party application to access the corresponding information based on the token's permissions.
By adopting the OAuth approach, not only is your account security greatly enhanced, as it eliminates the need to directly reveal your username and password to the third-party application, but it also provides a flexible authorization mechanism that allows you to independently decide which applications can access which of your information, thereby achieving precise control over the flow of your personal information.
The Differences and Connections between OpenID Connect and OAuth
The differences and connections between OpenID Connect and OAuth are particularly vivid in practical applications. Suppose there is an online pet website called "Pet Paradise", where customers can purchase pet supplies, and the pet store also provides a pet health tracking APP where customers can record their pet's health data, such as weight, diet, and vaccination status.
Application of OpenID Connect in this use case:
Authentication: When customers first visit the "Pet Paradise" website or download and use the pet health tracking APP, they need to register and log in. To provide a convenient login experience, the pet store decides to use OpenID Connect to implement single sign-on (SSO).
ID Token: Customers can use their credentials from other services that support OpenID Connect (such as social media accounts) to log in. Once the login is successful, the OpenID Connect provider will issue an ID token to the customer. This token contains the customer's identity information and is encrypted and signed.
Cross-service Authentication: If the customer later visits other services of the pet store (e.g., from the website to the APP), they can directly use the previously obtained ID token for authentication, without having to re-enter the username and password. This allows the customer to switch seamlessly between different services.
Application of OAuth in this use case:
Third-party Application Authorization: Suppose "Pet Paradise" wants to collaborate with a third-party application called "Pet Diary" and allow customers to synchronize their pet supply purchase records and pet health data from "Pet Paradise" to "Pet Diary".
Access Token: To achieve this functionality, "Pet Paradise" will use OAuth to authorize the "Pet Diary" application to access the customer's data. After the customer agrees to the authorization on the "Pet Paradise" website, an access token will be generated through the OAuth flow, which allows the "Pet Diary" application to access the customer's specific data on "Pet Paradise".
Protecting User Data: Through OAuth, the customer's login credentials (username and password) will not be directly exposed to the "Pet Diary" application but will be securely shared through the access token. This way, even if the "Pet Diary" application is attacked, the attacker cannot directly obtain the customer's login credentials.
Summary
In summary, the differences and associations between OAuth and OpenID Connect can be summarized as follows.
- Basis and Extension:
- OAuth is an authorization framework that allows third-party applications to obtain limited access permissions without using the user's username and password.
- OpenID Connect, on the other hand, builds on the foundation of OAuth 2.0 and extends its functionality by adding an authentication layer.
- Tokens and Authentication:
- In OAuth, the main focus is on authorization, i.e., allowing applications to access the user's resources, while OpenID Connect is more focused on authentication, i.e., confirming the user's identity.
- OpenID Connect introduces the concept of an ID token, which is a JSON Web Token (JWT) containing the user's identity information. This token not only proves the user's identity but can also include the user's personal profile information.
- Collaboration:
- When an application needs to verify the user's identity and access the user's resources, OpenID Connect and OAuth can work together.
- The user first authenticates their identity through OpenID Connect, obtaining an ID token, and then the application can use this token and the OAuth flow to obtain permission to access the user's resources.
In summary, OpenID Connect and OAuth are two complementary identity authentication and authorization protocols that together provide a secure, flexible, and user-friendly authentication and authorization solution for modern web and mobile applications.
Top comments (1)
Thanks