OpenID & Auth 2.0
1. OAuth 2.0 – Authorization Framework
- Purpose: Grants a client application limited access to a user’s resources on another service, without giving the client the user’s credentials.
- What it does: Issues access tokens that represent permission to access specific resources (via APIs).
- What it doesn’t do: OAuth 2.0 by itself does not define how to authenticate the user or provide identity information.
-
Example:
You allow a third-party calendar app to access your Google Calendar. OAuth 2.0 ensures it can read events but not your Gmail — without giving the app your Google password.
2. OpenID Connect (OIDC) – Identity Layer on Top of OAuth 2.0
- Purpose: Adds authentication and user identity to OAuth 2.0.
- What it does: Uses OAuth 2.0’s flows but returns an ID Token (JWT) containing verified information about the user (name, email, profile picture, etc.).
-
What it adds: Standardized endpoints, scopes (
openid), and claims for identity. -
Example:
When you "Sign in with Google" to a website, OIDC is what actually provides your verified identity info so the site knows who you are.
3. How They Work Together
| Feature | OAuth 2.0 | OpenID Connect (OIDC) |
|---|---|---|
| Main Purpose | Authorization | Authentication + Authorization |
| Token Type | Access Token | Access Token + ID Token |
| Knows Who the User Is? | ❌ Not by itself | ✅ Yes — includes user identity data |
| Built On | – | Built on top of OAuth 2.0 |
✅ In short:
- OAuth 2.0 → “Can this app do X on behalf of the user?” (permissions)
- OIDC → “Who is the user?” (identity)