Picking the right user management flow for your application or platform has become extremely important today, with OpenID Connect (OIDC) and Open Authorization 2 (OAuth2) on most shortlists. But which one is better for your offering, if at all? Without further ado, let’s learn about the two methods and compare them.
OpenID Connect, commonly known as OpenID, is a specification for Single Sign-On (SSO) and user authentication purposes.
OpenID, developed in 2005, lets authentication services and websites exchange security details in a standardized manner. In 2014, the OpenID Foundation developed a new version named OpenID Connect (OIDC). OpenID Connect strengthens the OAuth 2.0 authentication framework for better interoperability, identity management, and support for mobile apps in development.
The aim of OpenID Connect is to let end-users log in just once to access disparate and multiple resources; on and off the internet. The specification, which has the support of various cloud providers, including Microsoft and Google, is believed to provide a way for organizations to replace their on-premise access management (IAM) and identity systems with cloud offerings.
Read more about the Top SSO Providers in the market today.
Open Authorization (OAuth) is an open standard authorization framework used for token-based authorization that is highly popular across the globe.
OAuth flows provide end-user’s account details to third-party services, including Google and Facebook, without revealing the user’s account credentials to the third-party. It provides a go-between on behalf of the end-user, giving the third-party service an access token that authorizes the sharing of specific account information. The process of gaining the token is known as the authorization flow.
OAuth 1.0 was initially released in 2007 as an authorization method for the Twitter API. In 2010, the IETF OAuth Working Group released the initial draft of the OAuth 2.0 protocol. As with the first OAuth, OAuth 2.0 allows users to provide third-party application access to web resources without revealing a password. However, it is an entirely new protocol and is not backward compatible with OAuth 1.0.
New features include a new authorization code flow to allow for mobile apps, short-live tokens with long-lived authorizations, and simplified signatures.
Read more about OAuth vs JWT in our detailed comparison
OAuth 2.0 is an authorization framework that lets end users grant access by one app to data stored by another, without having to re-enter their credentials. Read more about OAuth grant types in our dedicated article.
Its main focus is on secure authorization for a user who has already been authenticated and reducing friction as much as possible to improve the user experience. The image below shows an application (we’ll call it the “current application”) that uses the OAuth 2.0 protocol to enable users to register and sign up using their existing Google or Dropbox account.
The OAuth 2.0 protocol defines four roles:
In this example, Google and Dropbox provide both the authorization and resource server on the same API endpoint. But OAuth 2.0 is capable of contacting one server for authorization and then pull resources from a separate server. OAuth 2 supports four process flows. Let’s see the most common one, called Authorization Code Grant Type.
This process flow works as follows:
OpenID Connect (OIDC) is an authentication protocol that is currently supported by many popular web services, including Google, Paypal, Microsoft and Amazon. Its main focus is on authenticating a user to ensure they really are who they say they are. OIDC uses the OAuth 2.0 specifications to authorize resources on a target server. It extends OAuth 2.0, providing:
The OIDC protocol defines four entities:
OAuth 2.0 pays particular attention to authorization. It doesn’t deal with the particular aspects of how users are authenticated. It offers three process flows called “grant types”, which support the user cases outlined here (note that Implicit – the fourth OAuth process flow is not in use any more).
OpenID Connect supports both authentication and authorization, managing secure authentication of the end-user. It can also help with the handling of API access. OIDC offers three process flows that provide support for these use cases:
Related: OIDC vs SAML
Both OIDC and OAuth 2.0 are solid in terms of usability:
OAuth vulnerabilities surface in part because the OAuth specification is flexible and relatively vague in its design. There are a few mandatory components that are needed for the rudimentary functionality of every grant type, but most of the implementation is entirely optional. This encompasses many configuration settings that are needed to keep users’ information secure.
Put simply, there is a lot of opportunity for bad practices to arise.
Another key concern with OAuth is the overall lack of built-in security features. Security is almost entirely dependent on developers making use of the correct combination of configuration options and putting their own additional security measures in place, including robust input validation. According to the type of grant, highly sensitive data is also transferred via the browser, which provides many malicious opportunities for cybercriminals.
OpenID Connect specifications are more stringent than that of basic OAuth, which indicates that there is typically less potential for abnormal and potentially vulnerable implementations. That being said, it is simply a layer that sits on the OAuth. The OAuth service or client application might still be vulnerable to certain OAuth-based attacks.
OAuth 2 has the following limitations:
OIDC has the following limitations:
Both OpenID Connect and OAuth 2.0 have their place in the SaaS space, including user management solutions. But again a lot depends on your specific use case. If you are looking for an authorization solution, OAuth has the better track record. But you also need to keep in mind that it is less secure than OIDC, which also covers the authentication part.
Start For Free