How OpenID Connect differs from OAuth 2.0
· Category: API & REST
Short answer
OpenID Connect is an identity layer built on top of OAuth 2.0 that standardizes authentication and provides user profile information through ID tokens.
Key differences
- Purpose: OAuth 2.0 delegates authorization while OpenID Connect adds authentication.
- Token type: OIDC introduces the ID token as a JWT containing user claims.
- UserInfo: OIDC defines a standard endpoint for retrieving user profile data.
- Discovery: OIDC supports discovery documents that simplify client configuration.
- Session management: OIDC provides session management and logout specifications.
When to use each
- Use OAuth 2.0 alone when you only need API access delegation without user identity.
- Use OpenID Connect when you need login, single sign-on, or user profile data.
- Modern identity providers implement both protocols together.
- Choose OIDC for interoperability across identity vendors.
Example
GET /api/protected HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
This request demonstrates how to include a bearer token in the Authorization header to access a protected API endpoint securely.
Additional context
Applying these principles consistently across projects leads to more maintainable systems, clearer team communication, and better outcomes for end users. Regular review and refinement of practices ensure continuous improvement.