OIDC – OpenID Connect

Posted on by tmack
Banner for Learning Computers post

Adding Identity to the Authorization Layer

In the journey through information security, you will frequently encounter OAuth 2.0. While OAuth is excellent at authorization, it was never actually designed for authentication. To solve this, OIDC, or OpenID Connect, was created.  Think of it this way: OAuth 2.0 is the key to a hotel room, while OIDC is the ID card that proves you are the person who booked it.

What is OIDC?

OpenID Connect is an identity layer built directly on top of the OAuth 2.0 protocol. It allows “Relying Parties” (the apps you are building) to verify the identity of an end-user based on the authentication performed by an “Authorization Server”.

How It Works: The ID Token

Computer Post ImageThe primary difference between standard OAuth and OIDC is the introduction of a third token. While OAuth provides an Access Token and a Refresh Token, OIDC adds the ID Token.

  • Format: The ID Token is a JSON Web Token (JWT).
  • Contents: It contains “claims” about the user, such as their unique ID, name, email, and when they logged in.
  • Verification: Because it is a JWT, your application can cryptographically verify that the token was signed by a trusted provider and hasn’t been tampered with by a malicious actor.

The Flow in Simple Terms

  1. The Request: Your app sends the user to the provider with a specific “scope” called openid.
  2. The Auth: The user logs in (perhaps using MFA).
  3. The Delivery: The provider sends back an ID Token along with the standard OAuth Access Token.
  4. The Result: Your app decodes the ID Token and instantly knows who the user is without having to manage their password or database.

Why OIDC is a Security Win

OIDC is a lifesaver because it reduces Identity Silos. Instead of every small app storing passwords, apps delegate the “heavy lifting” of security to specialized identity providers who have robust defenses against brute-force and phishing attacks.

Further Reading & Citations