OIDC, or OpenID Connect, is an authentication layer built on top of the authorization protocol OAuth 2.0 and provides a standardized way for users to authenticate themselves to web applications. Users can use existing credentials from a trusted identity provider to log in, not having to create usernames and passwords for different applications. An example would be using Google as an identity provider, integrating it with your web applications, and thus being able to log into those applications using your single Google account.
Because OIDC is an extension of OAuth, it’s important to understand OAuth first. OAuth is a standard for authorization where a user allows an application to access their resources hosted on another application, on their behalf, without the sharing of their credentials. Think about a user authorizing a budgeting application to access their bank transactions. The user doesn’t have to share their bank credentials with the budgeting app, but only authorize the bank to allow the app to retrieve data by logging into the bank, themselves, and granting permission. See our OAuth article for a visual.
While OAuth can authorize an application to access another based on user permission, it does not authenticate, or transmit any identifiable information about the user who is requesting privileges. The access token granted in an OAuth flow doesn’t include any user information and only serves to authorize access with a limited scope.
OIDC extends these capabilities of OAuth in that when the client queries the identity provider and an access token is granted, if found compatible with OIDC, then this also becomes a point of authentication and an ID token is granted as well. This token, a JWT, contains standard user claims, or attributes, that supply the client with details about the user such as name or email, which can then be used by the client to verify the user’s identity.
While OAuth is designed to aid in authorization via delegated access, OIDC is designed for federated authentication. This means it provides the ability to log into multiple applications using one identity from an identity provider, or single sign-on, eliminating the need for multiple usernames and passwords. OIDC has a defined and standardized set of claims commonly used across applications that an identity provider will use, whereas the claims of OAuth are not standardized and left up to the resource applications to define.
The biggest benefit of OIDC is its standardization in handling user information, providing consistency and ease to developers integrating it with their applications. Also, being able to use the same identity provider for multiple applications minimizes the burden of creating and managing multiple usernames and passwords. OIDC supports different devices such as mobile, web and IoT, so you can safely access your applications across various formats. Other benefits include central credential management, integration with multi-factor technology, and a more readable request-response format found in JSON.
To dive deeper into OIDC or to learn how easy it is to integrate with Teleport, be sure to check out our more detailed blog post.