OAuth 2.0

OAuth 2.0, which stands for "Open Authorization", is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user.

OAuth2.0 Roles

• Resource Owner: The user or system that owns the protected resources and can grant access to them.
• Client: The client is the system that requires access to the protected resources. To access resources, the Client must hold the appropriate Access Token.
• Authorization Server: This server receives requests from the Client for Access Tokens and issues them upon successful authentication and consent by the Resource Owner. The authorization server exposes two endpoints: the Authorization endpoint, which handles the interactive authentication and consent of the uesr, and the Token endpoint, which is involved in a machine to machine interaction.
• Resource Server: A server that protects the user's resources and receives access request from the Client. It accepts and validates an Access Token from the Client and returns the appropriate resources to it.

Obtaining Authorization

OAuth defines four grant types: authorization code, implicit, resource owner password credentials, and client credentials.

• Authorization Code Grant

• Implicit Grant

• Resource Owner Password Credentials Grant

• Client Credentials Grant

OpenID Connect

OpenID Connect or OIDC is an identity protocol that utiizes the authroization and authentication mechanisms of OAuth 2.0. You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications by using a security token called ID token.

OIDC Flows

The choice of OpenID Connect flow depends on the type of application and its security requirements. There are three common flows:

• Implicit Flow: In this flow, commonly used by SPAs, tokens are returned directly to the RP in a redirect URI.
• Authorization Code Flow: This flow is more secure than implicit, as tokens are not returned directly. For native/mobile apps and SPA, security may be enhanced by using Proof Key for Code Exchange.
• Hybrid Flow: Combining Implicit and Authorization Code flows, here, the ID Token is returned directly to the RP, but the access token is not. Instead, an authorization code is returned that is exchanged for an access token.

How Does OpenID Connect Fit with OAuth 2.0?

OIDC utilizes OAuth 2.0 as an underlying protocol. The principal extensions are a special scope value ("openid"), the use of an extra token (the ID Token, which encapsulates the identify claims in JSON format), and the emphasis on authentication rather than authorization. Also, in OIDC, the term "flow" is used in place of OAuth2 "grant".

OIDC vs. OAuth 2.0

OIDC was built on top of OAuth 2.0 to add authentication. The OAuth 2.0 protocol was developed first and then OIDC was added to enhance its capabilities. The difference between the two is that OAuth 2.0 provides authorization, while OIDC provides authentication. OAuth 2.0 is what allows sers to gain access to a replying party, using their account with an OpenID provider, and OIDC is what allos the OpenID provider to pass along a user profile to the relying party. OIDC also allows organizations to offer their users single sign-on.

Resources

• OAuth 2.0
• OpenID Connect
• What is OIDC? - Microsoft
• Angular SPA MSAL Sample
• How to authenticate .NET apps to Azure services using the Azure Identity library