DEV Community

Diego Dias
Diego Dias

Posted on

OAuth andOpenID - Introduction

Hello, welcome to my second post at Dev.to! :D

We'll cover the basics of OAuth and OpenId and try to make the concept simple enough to memoize for interviews, let's go!

First thing, OpenID and OAuth are different things.

Authorization

OAuth is responsible for issuing a "token" after you provide your credentials to the OAuth server, which answers back with the access token that gives you access to APIs but doesn't carry any user data. That's what they call authorization.

Authentication

OpenId implements the concept of user identity on top of the OAuth token mechanism, the difference is that you also receive an ID Token alongside the access token. That's what they call authentication.

const OAuth = 'Authorization';
const OpenID = 'Authentication';
Enter fullscreen mode Exit fullscreen mode

Simple, isn't it? Well, that's what they say. Look at the diagram below:

OAuth and OpenID Diagram

Link to the full diagram:
https://infosec.mozilla.org/guidelines/assets/images/OIDC_sequence_diagram.png

That's basically the flow for an OpenID authentication.

The main difference between this type of authentication and the standard cookie model is that it has its own authentication server and this server has full access agency, meaning controlling access by registering applications upfront and generating ClientID's and ClientSecret's for each registered client on this server.

These Secret's and ID's are now used on the clients to perform requests to the authentication server, which provides the token.

I think that's a good introduction to OAuth and OpenID.

What've learned so far:

1 - Authentication and Authorization
2 - Authorization Server
3 - ClientID and ClientSecret

In the next articles, I'll cover more about the token and its different strands.

Top comments (0)