Difference between OpenID connect and oAuth2 from an oAuth client perspective

2
votes

Okay, I understand that OpenID Connect is about authentication and oAuth2.0 is about authorization and OpenID Connect is built on top of oAuth2.0. I also understand the difference between these two terms.

I am creating a web app which is also an oAuth2.0 client. A user first needs to sign in to Google in order to use my app. After I receive access_token I query google api and get all the neccessary info about a user. Google uses OpenID protocol.

AFAIK Facebook uses just oAuth2.0. But the flow is basically the same as it is with Google. So what is the difference here?

1
authenticationoauth-2.0authorizationopenidgoogle-oauth

1 Answers

3
votes

The difference is that OpenID Connect standardizes the so-called userinfo endpoint and the claims that are returned from that endpoint. Facebook uses a proprietary endpoint and claims set, therefore Facebook does not conform to OpenID Connect even though both provide a similar login mechanism. Since they both are built on top of OAuth 2.0, Facebook is an OAuth 2.0 protocol with a custom extension and OpenID Connect is an OAuth 2.0 with a standardized extension (or: profile).