OAuth andOpenID - Introduction
Diego Dias
Posted on August 22, 2024
Hello, welcome to my second post at Dev.to! :D
We'll cover the basics of OAuth and OpenId and try to make the concept simple enough to memoize for interviews, let's go!
First thing, OpenID and OAuth are different things.
Authorization
OAuth is responsible for issuing a "token" after you provide your credentials to the OAuth server, which answers back with the access token that gives you access to APIs but doesn't carry any user data. That's what they call authorization.
Authentication
OpenId implements the concept of user identity on top of the OAuth token mechanism, the difference is that you also receive an ID Token alongside the access token. That's what they call authentication.
const OAuth = 'Authorization';
const OpenID = 'Authentication';
Simple, isn't it? Well, that's what they say. Look at the diagram below:
Link to the full diagram:
https://infosec.mozilla.org/guidelines/assets/images/OIDC_sequence_diagram.png
That's basically the flow for an OpenID authentication.
The main difference between this type of authentication and the standard cookie model is that it has its own authentication server and this server has full access agency, meaning controlling access by registering applications upfront and generating ClientID's and ClientSecret's for each registered client on this server.
These Secret's and ID's are now used on the clients to perform requests to the authentication server, which provides the token.
I think that's a good introduction to OAuth and OpenID.
What've learned so far:
1 - Authentication and Authorization
2 - Authorization Server
3 - ClientID and ClientSecret
In the next articles, I'll cover more about the token and its different strands.
Posted on August 22, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.