OpenID Connect Overview | Curity (2024)

Table of Contents
What is OpenID Connect? How Does OpenID Connect Work? OpenID Connect vs OAuth 2.0 OpenID Connect vs SAML Benefits of OpenID Connect OpenID Connect Flows OpenID Connect - The Internet Identity Layer Join our Newsletter Start Free Trial
On this page

What is OpenID Connect?

OpenID Connect (OIDC) is an identity layer on top of the OAuth 2.0 protocol. It specifies an extensible suite for client and end-user identity interaction that allows all types of clients to request and receive information about authenticated sessions and end-users as well as providing access to backend APIs using OAuth 2.0 tokens. This allows an identity provider to provide clients with end-user identification and basic profile information.

How Does OpenID Connect Work?

OpenID Connect introduces a new type of token, the ID token that is issued together with an access and optionally a refresh token. The flows to obtain tokens are very similar to common OAuth 2.0 flows. By specifying the parameter scope=openid in the request the client tells the authorization server to run the OpenID Connect protocol. The identity server that implements the authorization server then also implements the OpenID Provider role.

In general, OpenID Connect works as illustrated:

OpenID Connect Overview | Curity (1)
  1. The client sends a request to the identity server asking for authorization and user authentication.
  2. The identity server then authenticates the end-user.
  3. The identity server returns a response to the client with the authentication (and authorization) result.
  4. Optionally, the client can then retrieve user details via the UserInfo endpoint.
  5. The identity server provides user details to the client.

OpenID Connect vs OAuth 2.0

OAuth 2.0 was designed to allow a user to grant an application access to resources outside the client's realm. There is no need for users to share their credentials with the client. Instead, a user delegates access rights to the client. The access token represents the delegated access. It describes what the user permits the client to do on his or her behalf. However, OAuth 2.0 does not provide any (standardized) way for the client to request or control user authentication.

OpenID Connect adds the missing identity layer to OAuth 2.0. It does so by accepting a number of request parameters that allow applications to control authentication.For example, the prompt parameter can be used to force the user to re-authenticate. The actual authentication used can still be managed in a myriad of potential ways, all of which are managed by the OpenID Provider.Once authentication has completed, an ID token is returned to the application as proof of the authentication event.This is a JWT that can be digitally verified by the app and create a session.You can use OAuth 2.0 without OpenID Connect and find other means to authenticate the user.

OpenID Connect vs SAML

Security Assertion Markup Language (SAML) is a framework for exchanging security assertions. Assertions in this context are statements made by an authority about the subject (end-user), authentication and authorization decision. They are comparable to claims in OpenID Connect but encoded using XML format. Just like OpenID Connect, SAML enables a client to outsource authentication of a user to an identity provider (IdP). It enables identity federation and lends itself to single-sign-on implementations.

SAML was designed for web-based clients. It is typically coded in websites, which would verify the SAML assertion after login and create a session. SAML does not provide a separate API credential. OpenID Connect, on the other hand, provides a more complete solution for modern apps. Since it is based on OAuth 2.0, OpenID Connect provides an API credential (access token) that can be sent by web and mobile clients to backend APIs.

Benefits of OpenID Connect

  • API-friendly - OpenID Connect is API-friendly. It extends OAuth 2.0, and defines a REST-like protocol for authentication and basic user profile information.
  • Web and Mobile-friendly - OpenID Connect is a protocol designed to support mobile applications. It works well in both mobile apps and Web apps. It supports mobile single sign-on.
  • Lightweight Syntax - The message formats are based on JSON. JSON (JavaScript Object Notation) is human-readable, but still suitable for machine parsing. It is language independent and has simple conventions, making it easy to work with. As it consists of name-value pairs in an ordered list, it is a good data-interchange format.
  • Specified Token Format - ID tokens in OpenID Connect are JSON Web Tokens, JWTs (pronounced "jots"). The format is a JSON-based open standard for creating tokens. It includes claims to inform the application when and how authentication occurred, as well as the identity of the user.
  • Easy Key Distribution - OpenID Connect provides a key distribution mechanism called JSON Web Key Set (JWKS). There is no need for the overhead of a separate key management and distribution mechanism like a PKI infrastructure.
  • Access to User Information - OpenID Connect provides endpoints for clients to use when they need access to user data. It also provides mechanisms for the user to consent before this data is released to the client.

OpenID Connect Flows

The core OpenID Connect specification describes three OIDC flows:

See Also
OpenID Connect (OIDC)OpenID Connect Provider - OpenID Connect Single Sign-On - OIDC OAuth AuthThe Difference Between SAML vs OIDC | StrongDMHow do you choose between OAuth2 and OpenID Connect for web authorization?

  • Authorization Code Flow: The most popular flow in OpenID Connect as well as the most flexible. It allows all types of clients to obtain tokens securely.

  • Implicit Flow: The implicit flow was historically included in the specification to allow running OIDC from browser-based clients. Since modern browsers are capable of using the authorization code flow, developers should not need to use this flow.

  • Hybrid Flow: The hybrid flow is a mix of the implicit flow and the authorization code flow. It allows browser-based clients to obtain tokens in two different ways. It can prove helpful in some special use cases.

OpenID Connect - The Internet Identity Layer

OpenID Connect is the leading internet standard for cross domain single sign-on and identity.

The main benefit of using OpenID Connect is that it provides a completely standardized setup. Since it is built on OAuth 2.0, it is API-friendly. It extends the OAuth 2.0 protocol with support for authentication so that the client can verify the identity of its users.

OpenID Connect does not define how authentication should be performed, but it provides a standardized protocol on how to ask for authentication, and how the result of authentication should be presented to the client. It uses JWTs (JSON Web Tokens) as identity token format and works for all kind of clients such as web-based, mobile or native clients. The specification is available at the OpenID foundation website.

Join our Newsletter

Get the latest on identity management, API Security and authentication straight to your inbox.

Start Free Trial

Try the Curity Identity Server for Free. Get up and running in 10 minutes.

Start Free Trial

  1. Home
  2. Resources
  3. OpenID Connect
  4. OpenID Connect Overview

Was this helpful?

OpenID Connect Overview | Curity (2024)
Top Articles
Test Case Vs Test Scenarios
Tata Steel Outlook for the Week (April 22, 2024 - April 26, 2024) - Equitypandit
Katie Pavlich Bikini Photos
Gamevault Agent
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Free Atm For Emerald Card Near Me
Craigslist Mexico Cancun
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Doby's Funeral Home Obituaries
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Select Truck Greensboro
Things To Do In Atlanta Tomorrow Night
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Craigslist In Flagstaff
Shasta County Most Wanted 2022
Energy Healing Conference Utah
Testberichte zu E-Bikes & Fahrrädern von PROPHETE.
Aaa Saugus Ma Appointment
Geometry Review Quiz 5 Answer Key
Walgreens Alma School And Dynamite
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
Dmv In Anoka
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Pixel Combat Unblocked
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Rogold Extension
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Weekly Math Review Q4 3
Facebook Marketplace Marrero La
Nobodyhome.tv Reddit
Topos De Bolos Engraçados
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hampton In And Suites Near Me
Stoughton Commuter Rail Schedule
Bedbathandbeyond Flemington Nj
Free Carnival-themed Google Slides & PowerPoint templates
Otter Bustr
Selly Medaline
Latest Posts
Eliminate render-blocking resources
What Your Wordle Strategy Says About You, According to Experts
Article information

Author: Greg O'Connell

Last Updated:

Views: 5919

Rating: 4.1 / 5 (62 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Greg O'Connell

Birthday: 1992-01-10

Address: Suite 517 2436 Jefferey Pass, Shanitaside, UT 27519

Phone: +2614651609714

Job: Education Developer

Hobby: Cooking, Gambling, Pottery, Shooting, Baseball, Singing, Snowboarding

Introduction: My name is Greg O'Connell, I am a delightful, colorful, talented, kind, lively, modern, tender person who loves writing and wants to share my knowledge and understanding with you.