- ARTICLE -
OpenID Connect (OIDC) is an open authentication protocol that profiles and extends OAuth 2.0 to add an identity layer. OIDC allows clients to confirm an end user’s identity using authentication by an authorization server. Implementing OIDC on top of OAuth 2.0 creates a single framework that promises to secure APIs, mobile native applications and browser applications in a single, cohesive architecture.
OAuth 2.0 is an authorization framework that delegates user authentication to the service provider that hosts the user account, and authorizes third-party applications to access the user account. OAuth 2.0 provides authorization flows for web applications, desktop applications and mobile devices.
By introducing an authorization layer, OAuth 2.0 separates the role of the client from the resource owner, or end user. If the client requests access to resources controlled by the end user and hosted by the resource server, instead of using the end user's credentials to access protected resources, the client gets an access token. With the approval of the end user, the authorization server will issue access tokens to the requesting client.
OAuth 2.0 is explicitly designed to support a variety of different client types that access REST APIs. This includes applications running on enterprise web servers conversing with the cloud as well as applications running on employee or customer mobile devices. The OAuth framework supports a variety of client types by defining multiple mechanisms for getting a token where the different mechanisms acknowledge the client type constraints.
The main difference between OpenID and OAuth is that OpenID is an authentication protocol while OAuth is an authorization framework. OpenID and OAuth are both open standards that complement each other, but OpenID allows users to be authenticated by relying parties. An OIDC relying party is an OAuth 2.0 Client application that requires user authentication and claims from an OIDC provider. OAuth allows access tokens to be issued to third-party clients by an authorization server. OpenID Connect is built on a profile of OAuth and provides additional capabilities in conveying the identity of the user using the application. Clients use OAuth to request access to an API on a user’s behalf, but nothing in the OAuth protocol tells the client user information. OpenID Connect enables a client to access additional information about a user, such as the user's real name, email address, birthdate or other profile information.
OpenID Connect and SAML are both identity protocols for authenticating users and providing identity data for access control. One substantial difference between OpenID Connect and SAML is the amount of communication between the application and the identity provider.
SAML uses SAML tokens written in XML. The application validates the signature itself and the certificate it presents. While SAML relies on heavier XML payloads, OpenID Connect is REST/JSON based. OpenID Connect providers issue both an access token and an ID token. OpenID Connect enables an application to obtain the identity without requiring a call from the application to the identity provider.
The application starts with an OAuth flow that asks the user to authorize a request. As part of that flow, the client will include the OpenID Connect scope along with scopes for any additional information it wants about the user.
After the request is processed, the client will receive an access token as well as an ID token issued by the authorization server that contains claims that carry information about the user. The user’s SSO experience is made possible by the delivery of the ID token from the authorization server to the client. The client can then contact a special endpoint on the authorization server known as the UserInfo endpoint to receive the remaining claims about the user.
OpenID Connect also defines mechanisms for discovery and session management beyond OAuth.
OpenID Connect is an open and trusted authentication protocol that allows a user to authenticate with an external trusted identity provider. OpenID Connect augments the OAuth 2.0 framework. It’s important to understand that OAuth 2.0 is not an identity protocol, but an authentication and authorization framework for securing arbitrary APIs as opposed to APIs guarding identity information. In addition, OAuth’s access tokens carry an authorization semantic, but do not have an identity semantic. OpenID Connect layers these two identity-centric concepts onto OAuth to create a framework for distributed identity.
OpenID 1.0 was released in 2006 as the first mainstream standard for authentication. In 2007, OpenID 2.0 was released, providing both user authentication and user attributes. OpenID 2.0 was widely used and supported by most large internet companies. It wasn’t until 2014 that OpenID Connect was released, rendering the previous versions obsolete. OpenID Connect has the same capabilities as OpenID 2.0, but performs tasks while remaining API-friendly and accessible to native and mobile applications. OpenID Connect also has optional mechanisms for signing and encryption. An extension was required to integrate OAuth 1.0a and OpenID 2.0, but with OpenID Connect, OAuth 2.0 capabilities are simply integrated with the protocol. When “OpenID” is mentioned, a majority of the time it will be referencing OpenID Connect.
Please reference Ping Identity’s OAuth 2.0 Developer Guide for an overview of the processes an application developer and an API developer need to consider to implement the OAuth 2.0 protocol.
Is OAuth better than SAML?OAuth and SAML are not interchangeable standards, but rather work together to create a robust authentication and authorization solution. OAuth is the authorization process and SAML is the authentication process. |
||
Is OpenID Connect better than SAML?Since SAML requires intensive XML handling, developers tend to find OpenID Connect more flexible and easier to use. Generally, applications will only support either SAML or OIDC, so it all depends on which identity protocol complements your application.
|
||
How does OpenID Connect SSO work?With Ping Identity products, OpenID Connect SSO is enabled by completing the simple configurations below:
PingFederate: https://docs.pingidentity.com/bundle/MyPing/page/awz1604962098131.html
PingAccess: https://docs.pingidentity.com/bundle/MyPing/page/qjq1605722295704.html
PingOne: https://docs.pingidentity.com/bundle/pingintelligence-44/page/dqe1616546061657.html
PingCentral: https://docs.pingidentity.com/bundle/pingcentral-18/page/qyh1624306876538.html
PingDirectory: https://docs.pingidentity.com/bundle/MyPing/page/pxy1607014262073.html |
||
How do I request OAuth?In the OAuth Authorization Request, clients direct a user’s browser to the authorization server to begin the OAuth process. Clients can use an authorization code grant type or the implicit grant. Along with the type of grant specified by the response_type parameter, the request will have a number of other parameters to indicate the specifics of the request. |
||
What does an OAuth service entail?OAuth 2.0 is an authorization framework that delegates user authentication to the service provider that hosts the user account, and authorizes third-party applications to access the user account. OAuth 2.0 provides authorization flows for web applications, desktop applications and mobile devices. |
||
What are some OAuth examples?A large variety of account providers use OAuth. For example, if a website ever prompts you to sign in with Google, Facebook, Twitter or LinkedIn, that process uses OAuth. Basically, OAuth lets you choose if a website can access applicable information about your account without sharing your password. |
||
How do I set up OAuth authentication?Please reference Ping Identity’s OAuth 2.0 Developer Guide for an overview of the processes an application developer and an API developer need to consider to implement the OAuth 2.0 protocol. |
To find out more about how OpenID Connect helps secure identity data in an increasingly complex ecosystem, download the Ping Identity white paper OpenID Connect 101.
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a free demo
Thank you! Keep an eye on your inbox. We’ll be in touch soon.