OpenID Connect

tags :

Summary #

ref

• OpenID Connect (OIDC) is an open Authentication Protocol that works on top of the OAuth2 framework.
• Targeted toward consumers, OIDC allows individuals to use single sign-on (SSO) to access relying party sites using OpenID Providers (OPs), such as an email provider or social network, to authenticate their identities.
• It provides the application or service with information about the user, the context of their authentication, and access to their profile information.

How it works? #

• OIDC is similar to OAuth where users give one application permission to access data in another application without having to provide their usernames and passwords.

• Instead, tokens are used to complete both authentication and authorization processes:

  1. Identity tokens, intended to be read by the client, prove that users were authenticated and are JSON Web Tokens (JWT), pronounced “jots.” These files contain information about the user, such as their usernames, when they attempted to sign on to the application or service, and the length of time they are allowed to access the online resources.
  2. Access tokens are used to access protected resources, which are intended to be read and validated by the API. These tokens can be JWTs, but might be in a different format. Their purpose is to inform the API that the bearer of this token has been authorized to access the API and perform specific actions (as specified by the scope that has been granted).
  3. ID tokens cannot be used for API access purposes and access tokens cannot be used for authentication. The following diagram shows how a typical OIDC authentication process works.

RP: Resource Provider

Differences between SAML, OAuth, OpenID Connect #

tags

diff

The primary difference between these standards is that OAuth2 is an Authorization framework used to protect specific resources, such as applications or sets of files, while SAML and OIDC are authentication standards used to create secure sign-on experiences.

Additional differences include:

• SAML is known for its flexibility, but most developers find OIDC easier to use because it is less complex.
• SAML is used to access browser-based applications and does not support SSO for mobile devices or provide API access. OAuth provides API access and OIDC provides access to APIs, mobile native applications, and browser-based applications.
• OIDC is about who someone is. OAuth 2.0 is about what they are allowed to do.
• SAML uses tokens written in XML and OIDC uses JWTs, which are portable and support a range of signature and encryption algorithms.

OCR of Images #

2023-11-22_13-15-59_screenshot.png #

: - USERNAME The user browses to the website or application they want access to (the RP). The RP sends a request and redirects the user to the SSO system (the OP). The user is prompted to authenticate by providing credentials. The OP sends an assertion to the RP to confirm authentication. The OP validates the user's credentials. The user is granted access to the desired application. D - -

OCR of Images #

2023-11-22_13-15-59_screenshot.png #

: - USERNAME The user browses to the website or application they want access to (the RP). The RP sends a request and redirects the user to the SSO system (the OP). The user is prompted to authenticate by providing credentials. The OP sends an assertion to the RP to confirm authentication. The OP validates the user's credentials. The user is granted access to the desired application. D - -