OAuth and OIDC
OIDC and OAuth are often used as if they mean the same thing. It helps to know the difference. A clear mental model keeps the concepts straight.
- OAuth - It's only about authorization. It manages authorization to API resources.
- OIDC - It's about authentication. It builds on OAuth. It runs once the user is authenticated.
-
OIDC is about the authentication flow. After authentication, it emits an ID Token with user information. It also adds standards for the API endpoints of identity providers.
-
OAuth is about granting access to resources without a regular login. Identity providers issue access tokens. A token is just another form of the user. It says which resources the user can access.
OAuth existed first. OIDC was added on top, using the standards OAuth had set.
OAuth had already defined the flows to get access tokens from identity providers. OIDC just added the authentication layer and used it to get ID tokens.
Note that both ID tokens and access tokens are just base64 encoded strings. They aren't encrypted.
Still, they're digitally signed with private keys. Clients verify the signature with public keys to check the tokens are valid.
Pure OIDC use cases
In case of LinkedIn using Google to login:
- Uses OIDC to authenticate the user using Google.
- Gets back an ID token from Google which contains user information.
- LinkedIn can use this information to map the user to it's user data.
- It then uses its own authorization to connect to its APIs.
In this whole flow, no OAuth is used. It does receive access tokens. But it never uses them to reach Google's services or its own APIs.