About OIDC, a modern authentication protocol
In the digital era, with the popularization of network services and the increasingly complex application ecosystem, user identity verification and authorization mechanisms have become the key to ensuring network security and privacy. OpenID Connect (OIDC), as an open standard based on the OAuth 2.0 protocol, provides a comprehensive solution for secure and convenient online identity authentication. This article will deeply explore the core concepts, workflow, advantages and application scenarios of OIDC to help readers fully understand this modern identity authentication protocol.
1 OIDC Overview
OpenID Connect (OIDC) is an identity layer protocol developed by the OpenID Foundation. It is built on the OAuth2.0 framework and aims to provide a standardized way to authenticate user identities and obtain their basic information. Different from pure OAuth2.0, OIDC not only focuses on authorization (that is, allowing applications to access users' resources on other services), but also emphasizes authentication - confirming "who you are".
OpenID Connect (OIDC) and OAuth2.0 are two closely related protocols with different functional positions. They play a key role in the authentication and authorization system of modern network applications. Here are some of the main differences between them:
- Goals and functions
- OAuth2.0 is primarily an authorization framework that allows users to authorize third-party applications to access their resources stored on another service provider (resource server) without having to share usernames and passwords. OAuth2.0 focuses on authorization (access), which determines whether an application has permission to access specific resources, but does not directly handle user identity verification.
- OpenID Connect (OIDC) is an identity authentication protocol developed on the basis of OAuth2.0. While providing authorization, it also provides a standardized way to verify the identity of end users. OIDC introduces the concept of ID Token, which is a JWT (JSON Web Token) that contains user identity information, so that applications can be sure of "who" is accessing, not just what can be accessed.
- Authentication and Authorization
- OAuth2.0 only deals with authorization issues, that is, "can application A access user B's resources on service C?", but it does not directly deal with user identity authentication.
- OIDC handles both authorization and authentication, ensuring that applications not only gain access but also confirm the user's true identity.
- information exchange
- OAuth2.0 uses Access Tokens to represent the permissions granted to applications by users, but these tokens do not contain user identity information.
- OIDC has added ID Tokens to the OAuth2.0 process, which is a security token that contains user identity information and can pass some basic user attributes while authenticating the user's identity.
- safety
- OAuth2.0 provides a secure authorization mechanism, but the user authentication part requires additional mechanisms to supplement it.
- OIDC has built-in stronger security measures, such as using JWT and encryption technology to protect ID Token, ensuring the security and integrity of identity information during transmission.
- Application scenarios
- OAuth 2.0 is commonly used in scenarios where third-party applications need to access user data, such as social media login, cloud service API access, etc.
- OIDC is more suitable for services that need to confirm the user's true identity, such as single sign-on for enterprise applications, identity verification for financial services, etc.
Although OIDC is built on OAuth2.0, it provides a more comprehensive solution by adding an identity authentication layer to adapt to the needs of user authentication and authorization in modern Internet applications.
Two core components
- Identity Provider (IdP) : The entity responsible for verifying the user's identity and issuing identity tokens.
- Third-party applications (Relying Party, RP) : Applications or services that require user identity verification.
- User Agent (UA) : The user's browser or other client software, used to interact with IdP and RP.
- Authorization Code : In the OAuth 2.0 process, the IdP sends a temporary code to the RP, and the RP uses the code to exchange the access token.
- ID Token : A unique concept of OIDC. It is a JWT (JSON Web Token) that contains the user's basic information and is used to directly verify the user's identity.
Three OIDC workflow
The workflow of OIDC can be roughly divided into the following steps:
- User requests access to RP : The user attempts to access a protected resource provided by a relying party (RP).
- Redirect to IdP : RP redirects users to a pre-configured identity provider (IdP) for login.
- User authentication : The user enters credentials on the IdP to complete authentication.
- Authorization code issuance : The IdP returns an authorization code to the user agent (usually the browser), along with the redirect URI of the RP.
- RP exchanges tokens : RP sends an authorization code to the IdP through the backend server, requesting exchange for access tokens and ID tokens.
- Verify ID token : RP verifies the validity of the ID token (signature, expiration time, etc.) and extracts user information.
- Access resources : After successful authentication, the RP allows the user to access protected resources.
Four advantages of OIDC
- Security : Data is transmitted through HTTPS and encrypted using JWT to ensure communication security.
- Convenience : Users only need to log in at one place (IdP) to access multiple applications or services, which improves user experience.
- Standardization : As an open standard, OIDC is compatible with multiple platforms and services, making it easy for developers to integrate and maintain.
- Extensibility : Supports additional authentication information and statements to meet the needs of different scenarios.
Five application scenarios
- Enterprise applications : Enterprise internal systems can implement single sign-on (SSO) through OIDC, simplifying the process for employees to access multiple internal applications.
- Social media login : Many websites and applications allow users to log in using social accounts such as Google and Facebook, and OIDC is at work behind the scenes.
- Cloud services and API access : Provide a unified authentication and authorization mechanism for API access to enhance the security of cloud services.
- Internet of Things and Mobile Applications : Implement secure user authentication in smart devices and mobile applications to protect user privacy.
Six summary
As an authentication layer above OAuth 2.0, OpenID Connect effectively solves the complex challenges of user authentication in modern network environments through standardized processes and powerful security features. As digital transformation accelerates, the application scope of OIDC will continue to expand, becoming an important cornerstone of the trust bridge between users and services. For developers, in-depth understanding and proficiency in OIDC is undoubtedly an important ability when building safe and efficient applications.