Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OAuth2.0 and OpenID Connect Confusing

Tags:

openid-connect

oauth-2.0

I am confused about the use of OAuth 2.0 as an Authorization method and OpenID Connect as an Authentication method.

Based on my knowledge OAuth 2.0 is only an Authorization method. In other words, this is the process to request an ACCESS_TOKEN and RECEIVE this ACCESS_TOKEN, like depicted in the image below in yellow ellipse: (simplified)

enter image description here

Before an OAuth 2.0 Client retrieves an ACCESS_TOKEN from an Authorization Server this Server should verify if the User allows it and this is an Authentication Process that OAuth 2.0 does not care about.

When OpenID Connect is included in the mix it allows for an Authentication Method as well, but in my knowledge OpenID Connect just adds a "Claim" in the JWT Token that holds information about user that is using the service, like: email, name and others.

My questions are:

  1. Why not ignore OpenID Connect and just add more "claims" in OAuth 2.0 to get information about users?
  2. Is my description of the flows correct?
like image 610
Ronaldo Lanhellas Avatar asked Jul 17 '18 21:07

Ronaldo Lanhellas

2 Answers

OpenID Connect does not merely "add a claim in JWT Token" but:

  1. it introduces a completely new token (id_token) with radically different semantics than the OAuth 2.0 access_token and a standardized format that is understood by the Client as opposed to the access_token which is opaque to the Client

  2. it "twists" the role of the Client, now becoming the "audience" (or: intended recipient) of a token (i.e. the id_token) whilst the audience of the access_token is still a remote entity (aka. Resource Server) and the Client is only the "presenter" of the latter

The 2nd item is the primary source of confusion between OAuth 2.0 and OpenID Connect.

like image 64
Hans Z. Avatar answered Dec 25 '22 07:12

Hans Z.

I don't know if your method will work or not but you're totally free to roll your own authentication. After all, that's what Facebook, GitHub and many others did by customizing oauth2. There ended up being so many oauth2 "authentication" methods that it was never plug and play if you wanted to change your provider. I believe that's why OpenID connect was introduced--a common way of connecting and reasoning about authentication while building on the established oauth2 pattern for authorization. Use OpenID connect or don't...but if you don't you'll be reinventing the wheel.

like image 26
sdoxsee Avatar answered Dec 25 '22 07:12

sdoxsee
Sign in to Comment

Related questions

How should I make sure the user accessing a backend rendered frontend route is authenticated?
What exactly is an "OAuth Provider"?
How do I get an access token using UrlFetchApp with GAS
Authenticating Google API with a service account with Java API
get token, store it, refresh it if expired using oauth2 gem in ruby
Why is OAuth2 with Gmail Nodejs Nodemailer producing "Username and Password not accepted" error
Azure web App .net core OpenID redirect_uri issue
Why is my oauth2 config not using my custom UserService?
Accessing LinkedIn data via API using python (and authorisation in general)
Google Javascript API (gapi) - problems with .load
Loading Image in JavaScript with Bearer token
Alamofire 5 Adapting and Retrying Requests
Should dynamic query parameters be present in the Redirection URI for an OAuth2 (Autorization Code Grant Type)
In oauth2, is expires_in is in seconds or miliseconds?
How to persist oauth access tokens in spring security JDBC?
Sign in with different google account Firebase iOS
Login with FB Connect / Google OAuth in .NET
Best way to use Google APIs using OAuth 2.0 on Android
Complex JSON Web Token Array in webapi with OWIN
Gmail api scope & format mismatch

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!