OAuth 2.0 is the industry standard for authorization. This framework specifies the authorization flows for web and PC apps, mobile devices, and more.
It allows the user, via an authentication provider that they have previously successfully authenticated with, to give another website/service a limited access authentication token for authorization to additional resources. It is important to remember that OAuth 2.0 is a framework, not a protocol.
The best example is when using your Google account to register/login another 3rd party service. OAuth 2.0 dictates how authorization is properly maintained between you, Google, and a 3rd party service so that the 3rd party service is authorized to only certain information from your Google account.
OpenID Connect (OIDC)
OpenID Connect is a simple identity layer that sits on top of the OAuth 2.0 framework. Many architects misuse OAuth 2.0 to also manage authentication, which is not best practice. OpenID Connect is adds information (about 10% more) on top of the OAuth 2.0 framework to provide the information necessary for authentication as well.
Main point is that OAuth 2.0 doesn’t care about details of the client, but OpenID Connect adds an ID token that has includes relevant user details.
OAuth 2.0 Misuse
There is lots of misuse of OAuth 2.0 to do both authorization and authentication, which is NOT what OAuth 2.0 was designed to do. OAuth 2.0 allows lots of flexibility in terms of implementation since it is a framework. Many architects use it incorrectly to also do simple authentication which is not the most secure way. OpenID Connect is a strict protocol, so there is little flexibility, meaning if you implement it, it will be secure.
Use OAuth 2.0 For
- Granting access to your API
- Getting access to user data in other systems
Use OpenID Connect For
- Logging the user in
- Making your accounts available in other systems
- Includes basic user profile information
This is just a simple overview of the differences between OAuth 2.0 and OpenID Connect. It is important to focus heavily on security and authentication for your systems, so please contact us if you have any questions about your cloud system design.