Saturday, 20 September 2025

Difference between OAuth 2.0 and OpenID Connect

OAuth 2.0 is an authorization framework for granting limited access to resources, while OpenID connect (OIDC) is an authentication layer built on top of OAuth 2.0, providing a standardized way for clients to verify user identity and obtain basic user profile information via an ID Token (a JWT) in addition to the OAuth access token.

OAuth 2.0 Flow (Authorization)
  • Focus: Grants access to resources (e.g. an API) on behalf of a user.
  • Purpose: Allows a third-party application to perform actions or access data on another service without needing the user's credentials.
  • Tokens: Issues an Access Token, which is used to access the user's resources.
  • User Information: Does not standardize or provide  user identity information; its focus is on the granted permissions (scopes).
Open ID Connect Flow (Authentication)
  • Focus: Authenticated a user and provides identity information to the client application.
  • Purpose: Enables Single Sign-On(SSO) and allows applications to get basic user profile data, such as name and email.
  • Tokens: Issues both an Access Token and an ID Token. The ID Token is a JWT containing user identity and authentication details.
  • User Information: Defines scopes like openid, profile, and email, to request specific user profile information that is returned in the ID Token.
  • Mechanism: It's an extension of OAuth 2.0; the "openid" scope is required to make a request an OIDC request.
Summary 
Posted by on
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)