OAuth and OpenID Connect 101
OAuth is an authorization framework. It is not an authentication framework.
Let us take an example.
Do you know about valent parking service? I guess yes. Shopping malls, Private medicals centers and high star hotels offer their customers a vehicle parking service. When a customer arrives by his own vehicle, he is not required to find a parking space by himself. There is an agent from the business called valent and he will find a space and park your vehicle on behalf of you. Sounds cool right? Customer just needs to hand him over the keys.
Now as a Software person, I know this question will come to your mind suddenly.
What if this valent open the compartment or trunk of your car and take you private things you have kept there? What id the valent take your car for a long ride without knowing you?
These are the real problems!
So modern car manufacturers came up with a solution for these problems.
They made a special key called valet key which enables valet to drive car to to parking space with a very limited functionality. When valet is using this key, he is not allowed to open the compartment or take the car for a long ride.
So why I am telling you all these things?
Now let us look at OAuth.
OAuth is very similar to the valet key scenario. It allows to a service to use another service without exposing the second service’s sensitive credentials to first service.
Let us take an example, you want an app to access to your google drive and import a photo from drive. You do not want to give Username and Password of your google account to that third-party app. OAuth allows you to use google drive service without exposing its password to that third-party app.
OAuth 2.0
With the discussions between tech giants such as Google, Twitter, Facebook
OAuth 2.0 is introduced. It is a complete rewrite of OAuth 1.0 with some additional improvements.
OAuth Terminology
· Resource Owner- Owner of the data and identity
· Client- The application which wants to access data or perform actions on behalf of resource owner.
· Authorization Server- Application that knows resource and where the resource owner already has an account.
· Resource Server- API or service which client wants to use on behalf of the resource owner.
· Redirect URI- URL which the authorization server with redirect resource owner back to, after granting permission to the client.
· Response Type- Type of information, client expects to receive.
OpenID Connect
OAuth2.0 only for authorization and granting access to data. OAuth gives a key to client. OpenID connect is a layer which sits on OAuth which enables functions such as logging and maintaining the profile information about the resource owner.
OpenID Connect,
· Provides a badge instead of an authorization token.
· Provides specific information about the resource owner to maintain a profile.
o Name
o Birthday
o Profile Picture
· Establish a logging session with an identity
Simply, OpenID connect enables to use one login across multiple services.
It is also known as Single Sign On (SSO)
In OpenID Connect, Clients receive an ID token which is an encoded JWT(JSON Web Token). OpenID Connect become very popular due to this use of JWT. JWT is known for their portability because they support different signature and encryption algorithms.
Another reason for OIDC popularity is it is ready to be compatible with web applications as well as basic mobile apps but it also has the power of provide complex security and features for enterprise requirements as well.
ID Token
ID token is based on the concept of ID card. It follows standard JWT format and digitally signed by OpenID Provider.
Sample standard ID token with set of Claim is attached below.
· “iss”: REQUIRED. Issuer Identifier for the issuer of the response.
· “sub”: REQUIRED. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client.
· “aud”: REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the Client Id in OAuth 2.0 of the Relying Party as an audience value.
· “exp”: REQUIRED. Expiration time or expiration constant of ID token.
· “iat”: REQUIRED. Issued at. Time which the JWT was issued.
· “auth_time”: Time when the End-User authentication occurred.
· “nonce”: String Value. For verification purpose to avoid replay attacks.
· “acr”: Authentication Context Class Reference.
An authentication process should be passed at the identity server. User session and credentials will be checked by identity server. Web browser will act as the trusted agent for this authentication process.
