OpenID Connect (OIDC) is a protocol to verify user identities and get userprofile information. OIDC enables devices to verify identities based onauthentication done by an authentication server.
What problems does OpenID Connect solve?
One problem OpenID Connect addresses is how application developers can easily provide users with a usable and secure authentication experience, without investing a lot of time into storing and managing passwords. This enables developers to focus on building their application’s core functionality and lets them build more secure, compelling apps.
Why use OpenID Connect?
OpenID Connect is used by an increasing number of developers to build custom applications, for three reasons:
- Simplicity: OpenID Connect is simple to use, and offers great developer productivity around authentication.
- Web apps: OpenID Connect provides great support for modern web applications, which often run within a single page and have a great deal of JavaScript, such as Gmail.
- Mobile: OpenID Connect provides great support for native mobile applications running on iOS and Android.
Developers can learn more about how to use OneLogin OIDC support at https://developers.onelogin.com/openid-connect
How does OpenID Connect work?
In the simplest terms, OpenID Connect uses the following process to verify a user identity:
First, OpenID Connect will redirect a user to an identity provider (IdP) to determine the user’s identity, either by seeing if they have an active session (Single Sign On) or by asking the user to authenticate.
Then, once the IdP authenticates the user and authorizes them to access a particular application, the IdP redirects back to that app. This redirect also passes information about the user back to the app that it can use to confirm the user’s identity.
How does OpenID Connect compare to OAuth?
OpenID Connect is built on top of OAuth 2.0, specifies a RESTful HTTP API, and uses JSON as a data format. It has a specialized set of predefined data types and endpoints for exchanging user information between the identity provider and the application.
Is OpenID Connect an open standard?
Yes, OpenID Connect is run by the OpenID Foundation. OAuth, which it’s built on, is also an open standard, maintained by the Internet Engineering Task Force’s OAuth Working Group.
What is an example of OpenID Connect that I can play with to learn more?
Auth0 has put together a nice OIDC sandbox at https://openidconnect.net/, which walks the user through the technical details of OpenID Connect authentication process flow. Another example is Google Sign-In, built using OIDC.
If you’d like to examine additional OpenID Connect code samples, here is Auth0’s GitHub page.
Where can I learn more about OpenID Connect?
The OpenID Connect website FAQ is a good place to start.
Where can I find OpenID clients that I can use in my apps?
We recommend the Auth0 OAuth clients for OpenID Connect. They are available for a range of platforms, including iOS, Android, and Javascript. Other libraries can be found on the Libraries page of the OpenID Connect website.
FAQs
OIDC uses JSON Web Tokens (JWT), HTTP flows and avoids sharing user credentials with services. OpenID Connect has consent built-in. This is important as OIDC is often used in consumer-facing services (e.g., a Relying Party), where the sharing of personal data requires the user's explicit consent.
Why is it a bad idea to use OAuth 2.0 for authentication? ›
The purpose of OAuth2 Tokens is to authorize requests at a first-party server (or API). If the third party uses the OAuth2 Access Token as proof of authentication, an attacker could easily impersonate a legitimate user.
Can OpenID Connect be used for SSO? ›
How OpenID Connect SSO Works? OpenID Connect will redirect a user to an identity provider (IdP) to check the user's identity, either by looking for an active session i.e Single Sign-On (SSO) or by asking the user to authenticate.
What is the difference between OAuth 2.0 authentication and OpenID Connect? ›
OAuth is preferred when authorizing API access or enabling third-party apps. OpenID Connect combines the identity verification capabilities of OpenID with the delegated access features of OAuth. It builds on top of OAuth 2.0. Offers both single sign on for users and authorized access to user data for clients.
What is an example of OIDC authentication? ›
OIDC example
For example, there are currently two ways of creating a Spotify account. You can register with Spotify or you can sign on through Facebook. Facebook sends your name and email address to Spotify, which uses that information to authenticate you.
Is OIDC for authentication or authorization? ›
OpenID Connect (OIDC) is an identity authentication protocol that is an extension of open authorization (OAuth) 2.0 to standardize the process for authenticating and authorizing users when they sign in to access digital services. OIDC provides authentication, which means verifying that users are who they say they are.
Why do you probably not need OAuth2 OpenID Connect? ›
You only really need OAuth2 and OpenID Connect if you'd like your users to give consent ("i.e. I want to allow this app access to my personal data"). You do not need OAuth2 to generate a JSON Web Token, a Personal Access Token, a Native Mobile App Session Token.
What are the alternatives to OIDC? ›
OAuth2, Okta, JavaScript, Git, and GitHub are the most popular alternatives and competitors to OpenID Connect.
Is OAuth2 obsolete? ›
It states that OAuth 2.0 is deprecated.
Why is OIDC better than SAML? ›
If you: Want to quickly set up an identity platform, choose OIDC over SAML, without thinking twice. Implementing a basic OIDC solution is much simpler, compared to SAML, which would require heavy-weight XML processing. Have an API-centered architecture, with a lot of mobile and single-page applications, use OIDC.
Yes, OpenID is an obsolete standard that is no longer supported by the OpenID Foundation.
What are the benefits of OIDC? ›
It facilitates the exchange of user identity information between third-party IdPs and client applications, thus enabling authentication. To securely transfer the user information between the IdP and the application, OIDC uses JSON Web Tokens (JWTs).
Why is a bad idea to use OAuth 2.0 for authentication? ›
In OAuth, the token is designed to be opaque to the client, but in the context of a user authentication, the client needs to be able to derive some information from the token. This problem stems from the fact that the client is not the intended audience of the OAuth access token.
Does Google use OAuth or OpenID? ›
You need OAuth 2.0 credentials, including a client ID and client secret, to authenticate users and gain access to Google's APIs.
Is OpenID Connect safe? ›
OIDC enables secure and standardized authentication in applications, particularly web and mobile applications. But while OIDC improves security, minimizing user credential exposure, it can introduce security risks such as misconfigured identity and access management (IAM) policies.
Is OpenID and OpenID Connect the same? ›
How are OpenID & OpenID Connect different? OpenID Connect performs many of the same tasks as OpenID, but in a way that is API-friendly and usable by native and mobile applications. Integration of OpenID requires an extension; in OpenID Connect, authentication capabilities are integrated within the protocol itself.
What is OpenID Connect? ›
OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end-user and to obtain basic user profile information.
What is the difference between SAML and OIDC connect? ›
OpenID lacks user authorization data (such as permissions) and focuses primarily on identity assertion. SAML is an identity data exchange and is very feature-rich. Authentication is decentralized with OpenID. SAML uses assertions versus the OpenID and OAuth architecture of ID tokens.
