OAuth 2.0 and OpenID Connect Explained (in Plain English)

19 May 2020

Businesses typically rely on a best-of-breed collection of systems and applications hosted on premise and in the cloud. Although this allows them to better control and streamline operations, managing access and control can be a serious administrative burden. OAuth 2.0 and OpenID Connect technologies have been developed to help simplify secure authentication and authorisation between systems. But what exactly are they and why are they so useful?

What is OAuth 2.0?

OAuth 2.0 is a protocol used to authorise access to an application. At the most basic level, OAuth 2.0 allows a user to nominate an app (or Identity Provider – IdP) to act on their behalf.

Take Fitbit as an example. Fitbit users use their devices to produce data and other Apps like Strava and Withings can be configured to access that data. Fine-graining access is also possible: a user may give Strava access to read and write their Fitbit location, but not their weight. If all goes well, Fitbit will produce an access token which will be given to Strava. Strava will be able to access the data until it expires. It can even do it in the background; the user does not have to be involved any more.

Although there may be a log-in step somewhere in the process, this is not covered by OAuth itself, but it is sometimes inferred by the various solutions using OAuth. This is due to a potentially insecure assumption that if one was able to log-in and give access to some data, then it must be themselves. However, OAuth is not designed for authentication and using it as such introduces security risks.

What is OpenID Connect?

OpenID Connect (OIDC) builds on OAuth 2.0 by adding an authentication layer to the OAuth 2.0 protocol: using OIDC, users can prove who they are. Although often confused, OIDC is distinct to OAuth 2.0. It can deal with authentication, is more modern, better defined and potentially more secure.

The classic “Login with Facebook” option is a typical OIDC example. Users wanting to access a website are redirected to Facebook to login there. That website may also ask Facebook to provide their name and e-mail. If everything goes well, Facebook will create, sign and optionally encrypt a token with a unique user ID and any associated data. This token will then be used by the website to create an identity for the user and, in the future, to allow them to prove it is still them.

OIDC is therefore primarily an authentication protocol which can also carry some data about the user, access rights etc: in other words, it can carry their identity. But it is not meant to be used to by another App to access their data in the background.

In effect, OpenID Connect allows application developers to outsource responsibility for authorisation and to obtain the information that allows for greater personalisation of services.

It is worth noting that Azure Active Directory (AD) doesn’t encrypt this token by default – it only signs it to prove that it hasn’t been tampered with. Token encryption is an extra security measure that needs to be configured manually.

OpenID Connect in the enterprise

With the new authentication capabilities, OpenID Connect can be used to create a single sign-on (SSO) solution for the web services you build. In the context of Azure for instance, the Microsoft identity platform can be configured to issue OpenID Connect tokens for use with secured web APIs. Indeed, Microsoft recommend the use of OpenID Connect when building web-based applications that are accessed via a browser

In this scenario, when they access the web application, users are redirected to their regular Azure AD login, their Microsoft account, or Azure AD B2C login. Once authenticated, the ID token (provided by OpenID Connect) is sent to the web application, granting the user access.

Centralising identity and authorisation functionality in the Azure Active Directory dramatically reduces administrative overheads. It will also help to prevent problems with credential and permission mismatch that are common in other distributed systems. Best of all, OAuth and OpenID Connect are open standards, offering a degree of portability to other cloud providers.

Let us help you make sense of OAuth 2.0 and OpenID Connect technologies

Would you like to learn more about the use of protocols for your identity and access management? Our team has extensive experience in supporting organisations to improve their security and user experience with digital identity. We offer a range of consultancy services that are sure to meet your organisation’s requirements.

Please give us a call or send us a message to discuss how we can help simplify and improve your web application security.