Authentication in OAuth2.0 and how it works with OpenId

4
votes

Ok Looking for some guidance

I am looking into setting up an central Authentication and Authorisation server for login and access to our Api using DotNetOpenAuth.

So far

OpenId -> Authentication
OAuth -> Authorisation OK ... then it gets messy.

OpenId has an extension for OAuth. (is there much of a need for Connect And Auth2.0 then!)
OpenId Connect is kind of like Auth2.0 ?

OAuth2.0 allows Authentication
Hueinverse mentions that for OAuth2.0 has a new username & password flow

Username and Password Flow – used in cases where the user trusts the client to handle its credentials but it is still undesirable for the client to store the user’s username and password. This flow is only suitable when there is a high degree of trust between the user and the client.

But going from what google mentions about the protocols

OAuth 2.0 is a new, simplified authorization protocol for all Google APIs. OAuth 2.0 relies on SSL for security instead of requiring your application to do cryptographic signing directly. This protocol allows your application to request access to data associated with a user's Google Account.

Authentication doesnt deem to be mentioned.

Using the DotnetOpenAuth it is using its OpenId library for authentication with OAuth2.0.

So ... can someone clear up the details of OpenId Connect and OAuth 2.0 for me please !! :)

Thanks in advance.

1
.netopenidoauth-2.0dotnetopenauth
This seems overly broad to be a question for stackoverflow. I recommend you repost your questions to the [email protected]Andrew Arnott

1 Answers

0
votes

OAuth is used for authorization. OpenIDConnect is used for authentication.

OpenIDConnect (not OpenID) is built on top of OAuth2.

In OAuth, the client receives a access token, which can be used to access server side resource (e.g. server API). Having an access token does not mean we authenticate the user identity. It only grants you access to the resource belong to the user.

In OpenIDConnect, the client receives a similar token called "ID Token", which is in JWT form. The client can validate this token by its digital signature and get user ID information from this ID token.

OAuth supports several grant types. The one you mention is "password grant type", where the authorization server trusts the client application and let it handle the user credential (e.g. password).

A more common grant type is the authorization code flow, where the user submits his/her credential at the authorization server login page (authorization endpoint). If you have the experience of "Sign in with your Google/Facebook account", you should understand better how it works.