OpenID Connect (OIDC) Authentication

OIDC vs. OAuth 2

Like two sides of a coin, OAuth 2 and OID Connect are closely related tools that serve different but near inseparable roles.

OAuth 2 is an authorization framework, meaning it controls whether a user can log into a site or app and sometimes which account features or resources that service or app can allow a user to access. OIDC builds on this process by authenticating the user’s identity and securely sharing that authentication with the app or service.

In other words, OAuth 2 authorizes a user’s access to a site or resource, while OIDC authenticates who the user is. For example, if a person downloads a new game to their smartphone and uses SSO to set up their account, OIDC authenticates the user’s identity while OAuth 2.0 authorizes the user to gain access.

SAML vs. OIDC

Security Assertion Markup Language (SAML) is an older authentication protocol primarily used by large organizations. Unlike OIDC authentication, SAML relies on internet browsers and Extensible Markup Language (XML) to connect with applications and verify a user’s identity.

While SAML’s setup provides better support for security measures like multi-factor authentication (MFA), its focus on web-based communication limits its adaptability. Conversely, OIDC is more flexible and easier to implement across web, mobile, and cloud-based applications by relying on more modern technologies, such as JavaScript Object Notation (JSON) and Representational State Transfer (REST).

That flexibility makes OID Connect the more efficient option for modern developers trying to decide between OIDC vs. SAML. However, large businesses with dedicated servers typically opt for stronger security when choosing between OpenID Connect vs. SAML.

How OIDC Authentication Works

As part of the SSO process, OIDC authentication involves a “relying party” (e.g., a mobile app) temporarily redirecting the user to a trustworthy OIDC Provider (OP), such as Google or Apple.

After the user enters their corresponding login credentials, the OP (sometimes called an Identity Provider or IdP) sends the relying party an identity token containing verified user information, such as their name or email address. In some instances, the OP will also generate an access token that outlines what the user’s device is authorized to do (i.e., log into the relying party’s system).

Similar to how OIDC authenticates identity while OAuth 2 authorizes access, the ID token verifies who the user is while the access token permits them to complete specific actions.

OIDC Token Scopes

A token’s scopes are its unique characteristics and limitations. ID token scopes, for example, often detail when the token was created, which OP created it, the relying party it was created for, and when it expires.

Access token scopes, on the other hand, can further influence a device's abilities after logging into the relying party’s system, such as granting read-only or editor permissions when accessing a shared document.

What is an OIDC Flow?

An OpenID Connect Flow refers to how tokens are requested and transmitted between the OP and the relying party. The most common OIDC flows include:

OIDC Flow Type	Flow Details
Authentication Flows	Considered the most secure option, this flow type replaces ID tokens with one-time codes from the OP. The relying party can then exchange those codes for access tokens, completing the login process without user ID information.
Authorization Code Flows	Authorization code flows also use one-time codes, but relying parties can exchange them for either access or ID tokens. This minimizes web browser exposure, making the flow better suited for server-based applications instead of web or cloud-based ones. However, it can also require the use of refresh tokens to prevent the codes from expiring during periods of user inactivity. Given the flow’s server-centric nature, its use should be rigorously planned and closely monitored, as breaches in the relying party’s cybersecurity can compromise its own credentials for interacting with OPs.
Implicit Flows	Considered the least secure option, this flow type uses internet browsers to transfer ID and access tokens instead of app-to-app or server-to-server connections. As such, tokens are more exposed and vulnerable to cyberattacks.
Hybrid Flows	A combination of authorization code and implicit flows that gives more flexibility to analyze and validate one-time codes sent via browser before exchanging them for ID or access tokens. The extra analysis often adds enhanced security measures, such as Proof Key for Code Exchange (PKCE), to safeguard against cyberattacks that intercept one-time codes and try to exchange them for unauthorized access.