OpenID Connect Overview

What is OpenID Connect?

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It specifies an extensible suite for client and end-user identity interaction that allows all types of clients to request and receive information about authenticated sessions and end-users as well as providing access to backend APIs using OAuth 2.0 tokens.

This allows an identity provider to provide clients with end-user identification and basic profile information. The specification is available at OpenID Connect Core 1.0.

How Does it Work?

OpenID Connect introduces a new type of token, the ID token that is issued together with an access and optionally a refresh token. The flows to obtain tokens are very similar to common OAuth 2.0 flows. By specifying the parameter scope=openid in the request the client tells the authorization server to run the OpenID Connect protocol. The identity server that implements the authorization server then also implements the OpenID Provider role.

In general, OpenID Connect works as illustrated:

1. The client sends a request to the identity server asking for authorization and user authentication.
2. The identity server then authenticates the end-user.
3. The identity server returns a response to the client with the authentication (and authorization) result.
4. Optionally, the client can then retrieve user details via the UserInfo endpoint.
5. The identity server provides user details to the client.

OpenID Connect vs OAuth 2.0

OAuth 2.0 was designed to allow a user to grant an application access to resources outside the client's realm. There is no need for users to share their credentials with the client. Instead, a user delegates access rights to the client. The access token represents the delegated access. It describes what the user permits the client to do on his or her behalf. However, OAuth 2.0 does not provide any (standardized) way for the client to request or control user authentication.

OpenID Connect adds the missing identity layer to OAuth 2.0. It does so by accepting a number of request parameters that allow applications to control authentication. For example, the prompt parameter can be used to force the user to re-authenticate. The actual authentication used can still be managed in a myriad of potential ways, all of which are managed by the OpenID Provider. Once authentication has completed, an ID token is returned to the application as proof of the authentication event. This is a JWT that can be digitally verified by the app and create a session. You can use OAuth 2.0 without OpenID Connect and find other means to authenticate the user.

OpenID Connect vs SAML

Security Assertion Markup Language (SAML) is a framework for exchanging security assertions. Assertions in this context are statements made by an authority about the subject (end-user), authentication and authorization decision. They are comparable to claims in OpenID Connect but encoded using XML format. Just like OpenID Connect, SAML enables a client to outsource authentication of a user to an identity provider (IdP). It enables identity federation and lends itself to single-sign-on implementations.

SAML was designed for Web-based clients. It is typically coded in websites, which would verify the SAML assertion after login and create a session. SAML does not provide a separate API credential. OpenID Connect, on the other hand, provides a more complete solution for modern apps. Since it is based on OAuth 2.0, OpenID Connect provides an API credential (access token) that can be sent by Web and mobile clients to backend APIs.

Benefits of OpenID Connect

• API-friendly - OpenID Connect is API-friendly. It extends OAuth 2.0, and defines a REST-like protocol for authentication and basic user profile information.
• Web and Mobile-friendly - OpenID Connect is a protocol designed to support mobile applications. It works well in both mobile apps and Web apps. It supports mobile single sign-on.
• Lightweight Syntax - The message formats are based on JSON. JSON (JavaScript Object Notation) is human-readable, but still suitable for machine parsing. It is language independent and has simple conventions, making it easy to work with. As it consists of name-value pairs in an ordered list, it is a good data-interchange format.
• Specified Token Format - ID tokens in OpenID Connect are JSON Web Tokens, JWTs (pronounced "jots"). The format is a JSON-based open standard for creating tokens. It includes claims to inform the application when and how authentication occurred, as well as the identity of the user.
• Easy Key Distribution - OpenID Connect provides a key distribution mechanism called JSON Web Key Set (JWKS). There is no need for the overhead of a separate key management and distribution mechanism like a PKI infrastructure.
• Access to User Information - OpenID Connect provides endpoints for clients to use when they need access to user data. It also provides mechanisms for the user to consent before this data is released to the client.

OpenID Connect - The Internet Identity Layer

OpenID Connect is the leading Internet standard for cross domain single sign-on and identity.

The main benefit of using OpenID Connect is that it provides a completely standardized setup. Since it is built on OAuth 2.0, it is API-friendly. It extends the OAuth 2.0 protocol with support for authentication so that the client can verify the identity of its users.

OpenID Connect does not define how authentication should be performed, but it provides a standardized protocol on how to ask for authentication, and how the result of authentication should be presented to the client. It uses JWTs (JSON Web Tokens) as identity token format and works for all kind of clients such as Web-based, mobile or native clients.