I am really confused when I read that Oauth is used when you want authorization & OpenId when you want authentication i.e. getting user’s identity.
What does identity means here ? I feel it is a way to know the user by, lets say, email.
I can really get User’s email by just using Oauth, so it means I can identify the user as well as using more scope get access to user’s data like google drive. So why would I need openid in this usecase (just a question) ?
My pseudo-code flow is as below :
via oauth-client popup, get authorization code from frontend when user gives access. (Scopes are ‘https://www.googleapis.com/auth/userinfo.email’,https://www.googleapis.com/auth/userinfo.profile’)
Pass this authorization code to get access token
Use access token to call profile api to get name & email
Now I have identity, similarly i can use more scopes & use other apis like drive api as well
Where openid fits here or If i dont need openid, which scenarios would need openid.
Thanks in advance.
OAuth is primarily an authorization protocol, centred on getting and using access tokens. Yet in practice, when a user is present, this always includes the use of a code flow to trigger user authentication, so that the access token identifies the user in a secure way.
OpenID Connect Core puts more standardized structure around some behaviours, in particular what a client can do before and after authentication:
- The client includes the
openid
scope to request an ID token. - The client can send extra request parameters to control how user authentication works.
- The client can read the ID token to know how and when user authentication occurred and to get a user identifier.
Although the OIDC behaviours are largely secondary in most cases, these days you usually use OAuth and OIDC together. This gives your client the best options for controlling login and logout related behaviours when needed. For example, you might use OIDC RP initiated logout or send the prompt=login
parameter to force the user to re-authenticate.
OIDC also defines standard scopes for accessing parts of a user’s information, like profile
and email
, and a userinfo endpoint that returns standardized values (claims) contained within each scope.
You may come across some authorization servers that only support OAuth, yet also implement some behaviours from the OIDC standard, which was released in 2015. If you can’t use OIDC or get an ID token it does not mean the system is less secure.
4