- ARTICLE -

OIDC: What Is OpenID Connect and How Does It Work? What You Need to Know

What is OpenID Connect and what is OpenID Connect used for?

OpenID Connect (OIDC) is an open authentication protocol that profiles and extends OAuth 2.0 to add an identity layer. OIDC allows clients to confirm an end user’s identity using authentication by an authorization server. Implementing OIDC on top of OAuth 2.0 creates a single framework that promises to secure APIs, mobile native applications and browser applications in a single, cohesive architecture.

What is OAuth 2.0 and how does OAuth 2.0 work?

OAuth 2.0 is an authorization framework that delegates user authentication to the service provider that hosts the user account, and authorizes third-party applications to access the user account. OAuth 2.0 provides authorization flows for web applications, desktop applications and mobile devices.

By introducing an authorization layer, OAuth 2.0 separates the role of the client from the resource owner, or end user. If the client requests access to resources controlled by the end user and hosted by the resource server, instead of using the end user's credentials to access protected resources, the client gets an access token. With the approval of the end user, the authorization server will issue access tokens to the requesting client.

OAuth 2.0 is explicitly designed to support a variety of different client types that access REST APIs. This includes applications running on enterprise web servers conversing with the cloud as well as applications running on employee or customer mobile devices. The OAuth framework supports a variety of client types by defining multiple mechanisms for getting a token where the different mechanisms acknowledge the client type constraints.

What is the difference between OpenID and OAuth?

The main difference between OpenID and OAuth is that OpenID is an authentication protocol while OAuth is an authorization framework. OpenID and OAuth are both open standards that complement each other, but OpenID allows users to be authenticated by relying parties. An OIDC relying party is an OAuth 2.0 Client application that requires user authentication and claims from an OIDC provider. OAuth allows access tokens to be issued to third-party clients by an authorization server. OpenID Connect is built on a profile of OAuth and provides additional capabilities in conveying the identity of the user using the application. Clients use OAuth to request access to an API on a user’s behalf, but nothing in the OAuth protocol tells the client user information. OpenID Connect enables a client to access additional information about a user, such as the user's real name, email address, birthdate or other profile information.

What is the difference between OpenID Connect and SAML?

OpenID Connect and SAML are both identity protocols for authenticating users and providing identity data for access control. One substantial difference between OpenID Connect and SAML is the amount of communication between the application and the identity provider. 

SAML uses SAML tokens written in XML. The application validates the signature itself and the certificate it presents. While SAML relies on heavier XML payloads, OpenID Connect is REST/JSON based. OpenID Connect providers issue both an access token and an ID token. OpenID Connect enables an application to obtain the identity without requiring a call from the application to the identity provider.

What are the benefits of OpenID Connect?

OpenID Connect is an open and trusted authentication protocol that allows a user to authenticate with an external trusted identity provider. OpenID Connect augments the OAuth 2.0 framework. It’s important to understand that OAuth 2.0 is not an identity protocol, but an authentication and authorization framework for securing arbitrary APIs as opposed to APIs guarding identity information. In addition, OAuth’s access tokens carry an authorization semantic, but do not have an identity semantic. OpenID Connect layers these two identity-centric concepts onto OAuth to create a framework for distributed identity.

How is OpenID Connect different from OpenID 2.0?

OpenID 1.0 was released in 2006 as the first mainstream standard for authentication. In 2007, OpenID 2.0 was released, providing both user authentication and user attributes. OpenID 2.0 was widely used and supported by most large internet companies. It wasn’t until 2014 that OpenID Connect was released, rendering the previous versions obsolete. OpenID Connect has the same capabilities as OpenID 2.0, but performs tasks while remaining API-friendly and accessible to native and mobile applications. OpenID Connect also has optional mechanisms for signing and encryption. An extension was required to integrate OAuth 1.0a and OpenID 2.0, but with OpenID Connect, OAuth 2.0 capabilities are simply integrated with the protocol. When “OpenID” is mentioned, a majority of the time it will be referencing OpenID Connect.

How do you set up OAuth 2.0?

Please reference Ping Identity’s OAuth 2.0 Developer Guide for an overview of the processes an application developer and an API developer need to consider to implement the OAuth 2.0 protocol.

Frequently Asked Questions about OpenID Connect: