OpenID Connect (OIDC for short) is an open authentication protocol that uses the authorization and authentication mechanisms of OAuth 2.0.
OIDC was developed by the OpenID Foundation, which includes companies such as Google and Microsoft.
While OAuth 2.0 is an authorization protocol that only grants permission to access resources, OIDC is an identity authentication protocol. It is used to verify a user's identity to a client service (also called a relying party).
End users can use OIDC to authenticate themselves across different apps and websites using single sign-on (SSO). For example, a Google account can be used to sign in to Spotify. Google is the OpenID provider (OP for short) and Spotify is the Relying Party (RP). A possible authentication process then looks like this.
- The user accesses a website or application (RP) that they wish to access.
- The RP forwards the request to the OP via OpenID Connect.
- The OP then prompts the user to enter their login credentials.
- The OP validates the login credentials entered and sends a confirmation back to the RP.
- The user is then granted access to the website or application.
The aforementioned authentication and authorization process is carried out with the help of an access token and an ID token.
OpenID Connect adds an additional layer of security to the authentication process and improves the user experience. Some of the key benefits of OIDC are:
- Users do not need multiple usernames or passwords. This reduces the risk of passwords being reused and attackers taking advantage of this. The keyword here is credential stuffing.
- Website operators who rely on OIDC do not have to set up their own user databases and require less support capacity for resetting passwords.
- OIDC does not share passwords with websites or service providers, which reduces the risk of hackers intercepting them.
- OpenID Connect uses the latest encryption and security methods to protect user data and is scalable, making it suitable for a wide range of applications.
