What is the difference between OpenID Connect and OAuth2?

OpenID Connect is a protocol that runs on top of OAuth2. It adds support for authentication and the ability to share information about the authenticated user.

Is OAuth part of OpenID?

Yes, OpenID runs on top of OAuth. It provides authentication and a means for sharing identity information with an application.

Is OpenID Connect better than SAML?

OpenID Connect (OIDC) is more lightweight and easier to implement than SAML However, SAML is older and still has widespread adoption.

Is OpenID Connect dead?

OpenID Connect is a relatively young standard, meaning that it is not widely adopted. However, it offers better performance and usability than alternatives like SAML.

What is the difference between OAuth and OAuth2?

OAuth2 is commonly referred to as just OAuth. OAuth2 is an open standard for sharing authorization information, while OAuth1 was developed specifically for the Twitter API. OAuth2 is not backward-compatible with OAuth1.

What is the difference between OAuth and SSO?

SSO is designed to allow a user to log in once and then access multiple different applications without authenticating again. OAuth allows a user to authorize one application to access data held by another without sharing credentials between the two applications.

OpenID Connect (OIDC) vs OAuth2

by Alex Brown

March 13, 2022

Mar, 13, 2022

In some situations, one application may need access to data held by another application. A common example is a list of contacts used to send emails, texts, etc. to a user’s friends and family. One option for sharing this access is providing one application with the user’s credentials for the other. While this makes it possible to access the required data, it also creates significant security issues. OpenID Connection (OIDC) and OAuth2 make it possible to enable data sharing between applications without sharing user credentials.

Authentication vs. Authorization

Before diving into the details of OIDC vs. OAuth2, it’s important to understand the difference between user authentication vs. authorization. Authentication is proving a user’s identity to a service. This is accomplished using passwords, biometrics, etc.

Authorization uses the authenticated identity of a user to determine what they should be able to access. With the knowledge that you are you, a system can then determine if you should be able to access a particular system, and, if so, what level of access you should have.

What is OAuth2?

OAuth2 is an authorization standard defining a framework for sharing account information about a user between parties without revealing their credentials. For example, if you want to share your contacts list with a website so that it can send emails on your behalf and click on a “Sign In with Google” button, then you’re using OAuth2.

OAuth2 focuses on authorization, not authentication. The assumption is that Google, Facebook, etc. has performed strong authentication and is confident about a user’s identity. OAuth2 provides one service the ability to access data about a user collected by another without the need for the user to log in again.

How Does It Work?

The OAuth2 framework has a few different process flows or “grant types”. It defines the following four roles, which, under the Authorization Code Grant Type, perform the following functions:

Client: The application requesting access to a protected resource. Communicates directly with the other three.
Resource Owner: The user granting one application access to another. Upon receiving an authorization request sends an authorization grant to the client.
Authentication Server: The party performing the authentication (Google, Facebook, etc.). Accepts an authorization grant na d provides an access token.
Resource Server: The application providing the protected data. Accepts the access token and provides access to the protected resource.

What is OpenID Connect (OIDC)?

OpenID Connect is designed to provide a common format for exchanging user authentication information between authentication services and websites. It provides specifications for Single-Sign On (SSO) and user authentication flows, making it easier to integrate strong user authentication into websites and mobile apps.

With OIDC, users can log in once and take advantage of SSO to gain access to both Internet-based and non-Internet resources without needing to log in again. OIDC is supported by Microsoft, Google, and other cloud providers.

How Does It Work?

OIDC is an extension of OAuth2 that focuses on user authentication rather than user authorization. Once OIDC authenticates a user, it uses OAuth2 specifications to perform authorization.

Like OAuth2, OIDC includes four parties:

Relying Party: The Client in OAuth
OpenID Provider: Authenticates the user and sends a one-time code to the Relying Party
Token Endpoint: Receives the one-time code and provides a digitally-signed access token that is valid for one hour
UserInfo Endpoint: Accepts the access token and provides information about the user to the Relying Party

OAuth2 vs. OIDC

OAuth2 and OIDC are closely-related protocols; however, they have some significant differences. Including:

Authentication vs. Authorization: OAuth2 is focused solely on authorization, while OIDC supports authentication and authorization.
Security: OIDC has more stringent standards and integrated security features that OAuth2, providing it with improved security. However, OIDC runs on top of OAuth2, so they can be vulnerable to the same attacks.

Choosing Between OAuth2 and OIDC

OAuth2 and OIDC both have their pros and cons. OAuth2 is more established but lacks support for authentication and has weaker security. By adding OIDC, an application is reliant on a less widely-adopted protocol but adds authentication and security benefits.

Author

Alex Brown

A self-professed technology geek, content writer Alex Brown is the kind of person who actually reads the manual that comes with his smartphone from cover to cover. His experience evangelizing for the latest and greatest tech solutions gives him an energized perspective on the latest trends in the authentication industry. Alex most recently led the content team at Boston-based tech company Form.com.

View all posts

Platform

Identity OrchestrationTM

Detection and Response

Identity Management

Identity Verification

Authentication Services

Data Validation

Contact us

Leadership

Media

Careers

Corporate Social Responsibility

Become a Partner

Account Recovery: Turning Risk into Reward

Media

Identity Hub

Blog

System Status

Events & Webinars

Support

Content Hub

Request a Demo

Get the Transmit Security Blog Straight To Your Email

Table of Contents

OpenID Connect (OIDC) vs OAuth2

Authentication vs. Authorization

What is OAuth2?

How Does It Work?

What is OpenID Connect (OIDC)?

How Does It Work?

OAuth2 vs. OIDC

Choosing Between OAuth2 and OIDC

Author

Get the Transmit Security Blog Straight To Your Email

Latest blog posts

Account Recovery: Turning Risk into Reward

It’s Time for IAM to Lead the Cyber-Resiliency Charge

Safeguarding Business Logic in an Era of Democratized Scams

6 Initiatives of the ‘Scam Safe Accord’ & a Ready-Made Solution

Useful Links

Solutions

About

Resources

Contact Us

Identity Orchestration^TM

Account Recovery:
Turning Risk into Reward

Account Recovery:
Turning Risk into Reward