OAuth vs OpenID Connect

  • OAuth is not an authentication or authorization protocol. It’s a scalable delegation protocol.
  • OpenID Connect is an authentication protocol. It returns JWT, not an access token
  • JWT [jot] (JSON Web Token) - is a bunch of JSONT docs, compacted and signed with a private key. There are 2 type:
    • by reference - i.e. ‘grab info from the access server using this random string’. It is safe to send over network
    • by value token contains all the info is inside
    • A token translation service, an API firewall or a reverse proxy, can convert by reference to by value.
  • OAuth has Authorization Code Grant, Implicit Grant, Resource Owner Password Credential Grant and Client Credential Grant
  • OIDC specifies Authorization Code Flow, Implicit Flow, Hybrid Flow
  • Flow Mappings for different client types
    • Web Application with a dedicated server-side component: OAuth2 Authorization Code Grant (with Confidential Client), OIDC Authorization Code Flow (with Confidential Client)
    • Desktop or Mobile Native Application: Authorization Code Grant (with Public Client and PKCE), OIDC Authorization Code Flow (with Public Client and PKCE)
    • Single Page App (SPA): OAuth2 Implicit Grant, OIDC Implicit Flow (Authorization Code Grant or OIDC Authorization Code Flow with Public Client could be used)


Licensed under CC BY-NC-SA 4.0
Based off the Stack theme.