OAuth and OpenID connect uses

1
votes

I've began to take interest in the OAuth 2.0 specification and am not sure if what I've understood so far is correct.

OAuth is an authorization protocol while OpenID Connect is an authentication protocol which extends OAuth.

The first deals with authorizing access to a 3rd party resource, by a client application. Example you are building some app and would like to use some other application (which is not yours to own) features (resources).

On the other hand OpenID connect, deals with authorization, authorizing some human entity by verifying his/hers identity to, for example, access a specific resource that only him/her alone has access to. Example you're a banking application and allow users to access their account but first they need to confirm their identity with an Authorization Provider.

So is it safe to say that Authorization is destined to application interaction while Authentication for human interaction ?

1
oauth-2.0openid-connect

1 Answers

1
votes

Your understanding on OAuth and OpenID Connect is correct. When OAuth was introduced, it define a way to obtain access tokens, which the holding party can used against an endpoint protected by OAuth access tokens. This allowed identity details to be stored in a central location (authorization server aka identity servcer) and that central location to maintain token obtaining process (which include human authentication too).

While access token are used to grant access (authorize), OpenID Connect introduced ID token that get transmitted along with access token. The ID token is there to be consumed by the client application, which is used to authenticate the end user.

Token obtaining require authentication at authorization server. Depending on the token obtaining flow (aka OAuth grant), this authentication will involve the human user. It is also possible to follow a flow which does not involve a human user. Such flow only produce an access token. And OpenID Connect can only be used when human user is involved.

Q : So is it safe to say that Authorization is destined to application interaction while Authentication for human interaction ?

If your application (client) involves and end user, then that user can involved in token obtaining flow. And you can obtain access token as well as ID Token. Then you use ID token for end user authentication. And access token is used to connect with another endpoint.

If your application does not involved an end user (ex:- A service), then you will use OAuth to obtain access token, which used against another endpoint.