Using OpenID Connect to Extend OAuth 2.0

OpenID Connect extends the OAuth 2.0 protocol to add a simple authentication and identity layer that sits on top of OAuth 2.0.

Use OpenID Connect when you want your cloud-based applications to get identity information, retrieve details about the authentication event (such as when, where, and how the authentication occurred), and to allow federated single sign-on (SSO).

OAuth 2.0 provides security tokens for use when calling back-end resources on behalf of a user. OAuth provides a grant or license the ability to access resources rather than provide information about the authentication itself. Using OAuth for authentication is like an apartment manager giving someone who wants to know your identity a temporary key to your apartment. The key only implies a right to enter the apartment for a specific length of time. It doesn't imply that the individual is the owner.

Using OpenID Connect completes the picture by providing applications with information about the user, the context of their authentication, and access to their profile information. OpenID Connect allows clients of all types, including web-based, mobile, and JavaScript clients to request and receive information about authenticated sessions and end users. See OpenID Connect for more information.

Two concepts are introduced:
  • OpenID Connect ID Token: This token contains information about the user's authenticated session.

  • UserInfo endpoint: This endpoint provides a way for the client to retrieve additional attributes about the user.

Implementing OpenID Connect

There are three main actions required to implement OpenID Connect:

  1. Get an OpenID Connect ID Token: Use an OAuth2 grant type to request an OpenID Connect ID Token by including the openid scope in the authorization request.

    The following use cases provide example requests and responses for obtaining the ID Token.

  2. Validate the ID Token: Validate the ID Token to ensure that it originated from a trusted issuer and that the contents weren't tampered with during transit.

    The following use case provides information on how and what to validate.

  3. Retrieve profile information from the UserInfo endpoint: Using the OAuth2 Access Token, access the UserInfo endpoint to retrieve profile information about the authenticated user.

    The following use case provides example requests and responses for retrieving profile information from the UserInfo endpoint.