back arrowBack to Identipedia

What is OpenID Connect (OIDC)?

What is Open Authorization (OAuth 2.0)?

Share

Authentication methods are simply ways you can verify if a user is who they say they are. With a variety of methods available, from passwords to magic links, there are plenty of different ways you can implement this. One popular authentication method is using pre-established trust with identity providers such as “Log in with Google” and “Log in with Facebook”. This method works using OpenID Connect (OIDC).

OpenID Connect is an identity layer built on top of the OAuth 2.0 open standard. Developed by the OpenID Foundation, it allows applications to verify users’ identities and get their basic profile information. In this article, we’ll explore the fundamentals of OpenID Connect, cover how it works, and list out its advantages as an authentication method you might want to consider.

Understanding OAuth 2.0 and OpenID Connect

You may have heard OAuth 2.0 and OpenID Connect used interchangeably. However, it’s important to understand the difference between the two terms, and how OAuth 2.0 works as a foundation for OpenID Connect. 

OAuth 2.0 (sometimes shortened as OAuth2) is an authorization framework that enables third-party applications to access protected resources on behalf of a user, without the user having to share their credentials. However, OAuth 2.0 doesn't inherently address user authentication.

OpenID Connect was developed to bridge this gap. It uses OAuth2 as a baseline and adds a new token – called the ID token – that includes user identity claims in a JSON format. OpenID Connect uses JSON Web Tokens (JWT) to securely transmit this information between parties.

In combination with OAuth 2.0, OIDC allows users to sign in to websites using pre-established credentials with identity providers (e.g. Google, Facebook, GitHub).

OAuth 2.0

OpenID Connect

Purpose

Authorization and access control

Authentication

Tokens used

Access Token, Refresh Token

Access Token, Refresh Token, ID Token

Relationship to each other

Can work on its own

Works on top of OAuth 2.0

Use cases

Governing access to app resources

Authenticating users, Single sign-on (SSO)

How OpenID Connect works

There are three key players in an OpenID Connect flow: 

  • The Relying Party (RP): An application or service that is requesting the user’s identity.

  • The OIDC Provider (also called the OpenID Provider or the Identity Provider): The entity that performs user authentication.

  • The end user (also called the Resource Owner): The individual or entity looking to access a resource or application.

OpenID Connect flow
Fig: How OpenID Connect works

The OpenID Connect authentication process typically follows these steps:

  1. The end user will attempt to access a protected resource, such as a private message or a locked article on a website.

  2. The Relying Party redirects the end user to the OIDC provider for authentication.

  3. The end user authenticates with the OIDC provider using their credentials.

  4. The OIDC provider generates an ID token and sends it to the Relying Party.

  5. The Relying Party verifies the ID token and grants the end user access to the protected resource.

OpenID Connect flows

Just like OAuth grants, OIDC flows can be performed through different methods, depending on the type of application and security considerations at play. Some methods include:

  • Authorization code: Instead of directly returning a token, the server presents the Relying Party with a single-use authorization code. This code is then exchanged for the required tokens. For single-page apps and mobile / native apps, this flow can be modified with PKCE (Proof Key for Code Exchange).

  • Implicit: This is a less secure flow than the authorization code method. Using this method directly returns the token to the Relying Party in a redirect URI. 

  • Hybrid: This method combines the implicit and authorization code flows. While the ID token is returned directly to the Relying Party, the access token is only returned after being exchanged for an authorization code.

Advantages of OpenID Connect

OpenID Connect offers several benefits for both end users and service providers:

Simplified authentication: OpenID Connect streamlines the authentication process by enabling single sign-on (SSO) across multiple applications. Users can authenticate once with their OpenID provider and access multiple services without re-entering their credentials.

Improved security: By centralizing the authentication process, OpenID Connect helps mitigate the risk of phishing attacks and password breaches. For example, if an app encourages users to use their Google account to sign in, the user can take more protective measures to secure their Google account with a secure password. As a result, they don't need to create different secure passwords for various other applications.

Enhanced privacy: OpenID Connect allows users to maintain control over their personal information. They can choose which data to share with Relying Parties and can revoke access at any time.

Scalability and flexibility: OpenID Connect supports various authentication methods and can be easily integrated into existing systems. It's also compatible with most mobile and desktop applications, making it a versatile solution for any kind of application.

OIDC and security

The OpenID Connect authentication protocol has become an essential tool in the world of identity and access management. It offers a secure and user-friendly authentication experience. By leveraging authentication methods like OIDC, you can implement a comprehensive solution for managing user identities across various applications.

However, the OIDC protocol is not trivial. It can be time-consuming to implement authentication correctly while ensuring there are no security gaps. For instance, in June 2023 Descope disclosed an implementation flaw affecting both OAuth and OpenID Connect that could allow attackers to perform full account takeover on any app that uses “Log in with Microsoft”.

OIDC federated authentication with Descope

Want to add secure, frictionless OIDC authentication to your app without the heavy lift of in-house building and maintenance? Descope can help. Our drag-and-drop workflows abstract away the complexity of authentication so that developers can spend more time building their core product.

Since Descope can act as an OpenID Connect federated identity provider, it can handle authentication without you having to change your primary IdP or user store.

OIDC federated authentication diagram
Fig: OIDC federated authentication with Descope

Some use cases of implementing Descope as an OIDC provider are:

  • Adding passwordless authentication like passkeys to your existing logins on Amazon Cognito, Auth0, and Firebase.

  • Unifying user identity across several internal apps.

  • Using Descope authentication with server-side rendering (SSR) frameworks such as Next.js, Nuxt.js, and SvelteKit.

Sign up for our “Free Forever” tier today and begin your OpenID Connect journey!