OpenID Connect (OIDC)

What is OpenID Connect?

OpenID Connect, also known as OIDC, simply means having one key to log into many different internet services without having to remember different passwords. It is a way to enable Single Sign-On (SSO). OpenID Connect is built on top of OAuth2. OAuth 2.0 serves as the foundation of OpenID Connect. It is an authorization framework that allows applications to obtain limited access to user accounts. OAuth 2.0 manages the permission to access resources on behalf of the user, without revealing the user’s details (such as passwords) to the application. The differences between OAuth2.0 and OpenID are further explained later.

Example of OpenID Connect

Using OpenID Connect is like having a VIP pass that verifies your identity. Imagine going to a music festival with different stages (websites). Instead of standing in line at each stage and showing your ID (logging in with different accounts), you simply show your VIP pass (OpenID link) at the entrance. Security (the trusted service) nods and says, “We know you, go ahead.” This way, every stage knows you’re a validated guest, and you can move freely without having to show your entry ticket again.

How does OpenID Connect work?

The process of authenticating with OpenID Connect goes as follows:

1. The user launches an application
2. The application directs you to the identity provider for authentication
3. The user logs in at the identity provider with their existing login credentials. This can be a username and password, or another form of authentication supported by the identity provider.
4. After successful authentication, you are sent back to the application.
5. The application maintains the user session until the user logs out or the session expires.

OpenID Connect vs OAuth

OpenID Connect and OAuth are often confused because they both deal with online authentication and authorization. However, they serve different functions in the digital landscape.
Imagine going to a concert. At the entrance, there are two teams ensuring everything runs smoothly and safely: one for identity checks and the other for access management. In our digital world, OpenID Connect and OAuth play roughly these roles.

OpenID Connect:

• Purpose: OpenID Connect is specifically designed for authentication. This means it confirms who a user is. They essentially say: “Yes, you are the person you claim to be.”
• Use: When you log into a website or application with, for example, your Google account, you’re using OpenID Connect. It eliminates the need to create a separate username and password for each service.
• Functioning: OpenID Connect works by verifying your identity through a third party (such as Google) and sharing that confirmation with the applications you log into.

OAuth:

• Purpose: OAuth, on the other hand, is designed for authorization. It allows websites or applications permission to perform certain actions or access your data without sharing your password. OAuth decides which parts of the concert you can see based on your ticket type. They ensure that you only get access to what you’re allowed to see or use.
• Use: If an application wants access to your Google contacts, it uses OAuth to arrange that permission.
• Functioning: OAuth enables you to grant specific rights to an application, such as access to your photos or emails, without revealing your actual login details.

In summary:

• OpenID Connect = Who are you?: It confirms your identity when you log in with your account from, for example, Google.
• OAuth =What are you allowed to do?: It manages access to your data or services without sharing your password.

Just like at a concert, these two systems work together to make your online experience safe, smooth, and user-friendly. OpenID Connect ensures that you are who you say you are, and OAuth ensures that you only have access to what you’re allowed to see or do.

OpenID Connect vs OAuth2

Imagine using a new application that asks if you want to log in with your Google account. That’s where OpenID Connect comes into play. And if that same app asks for access to your Google contacts, OAuth 2.0 manages that permission. OpenID Connect identifies ‘who you are,’ while OAuth 2.0 manages ‘what you are allowed to do’ with your data.

In summary:

• OpenID Connect = Identity Check: “I confirm who this person is.”
• OAuth 2.0 = Access Control: “It manages what you are allowed to do or see with this person’s data.”

OpenID vs SAML

OpenID and SAML are very similar. SAML (Security Assertion Markup Language) and OpenID Connect are both protocols used for authentication and authorization in online services, with a strong focus on enabling Single Sign-On (SSO). They allow users to use one set of login credentials to access multiple applications, increasing convenience and enhancing security.
While they both aim for the same goal, they differ in operation.

Functioning of OpenID Connect

OpenID Connect is based on OAuth 2.0 but adds an extra layer for identity verification. This means it provides both access control (like OAuth 2.0) and identity verification. It sends the user’s identity information in an ID token. This is done using JSON Web Token (JWT). The configuration of OpenID Connect is often simpler because the protocol is more standardized across different implementations.

Functioning of SAML

SAML uses XML to transfer user information between an identity provider (IdP) and a service provider (SP) as opposed to JSON Web Token (JWT). There can be variations in how different identity providers implement SAML, which requires additional alignment.

Securing IAM with OpenID and SAML

To ensure secure authentication, SAML and OpenID Connect are essential. In our identity and access management solution, we integrate both SAML and OpenID Connect to provide streamlined and secure user authentication.
OpenID plays a significant role in data security, but it’s just one aspect of a comprehensive approach. For a deep dive into securing personal data and protecting user privacy, we invite you to view our whitepaper on security strategies.