What is OAuth 2.0 & OpenID?

OAuth 2.0 and OpenID Connect are industry-standard protocols used to authenticate your apps.

What is OAuth 2.0?

Open Authorization (OAuth) is an authorization protocol that allows one service (application) to be granted permission to access user resources on another service. This protocol eliminates the need to trust the application with credentials and also allows you to issue a limited set of rights, and not all at once.

For more information about OAuth 2.0, refer to RFC 6749 standard.

Workflow

The OAuth 2.0 workflow typically involves the following steps:

1. The user requests authorization from the resource owner (in this case client app server).
2. If the owner gives authorization, the client passes the authorization grant to the authorization server.
3. If the grant is valid, the authorization server returns an access token, possibly alongside a refresh and/or ID token.
4. The client now uses that access token to access the resource server.

Token Types

A token is an access key to something, for example, a protected resource (access token) or a new token (refresh Token).

OAuth 2.0 supports various token types, including access tokens, refresh tokens, and bearer tokens. Access tokens provide temporary access to resources, while refresh tokens enable the client to obtain new access tokens without user interaction.

Authorization Code Grant flow

This flow is recommended for most cases. The OAuth 2.0 Authorization Code Grant type (auth code) allows an application to securely access protected resources such as web APIs. The auth code flow requires a user agent that supports redirection from the School Passport authorization server back to your application.

During auth code flow:

• The application receives an authorization code after successful user authentication.
• The application exchanges the code for access tokens in exchange for the request.

Implicit Grant flow

The OAuth 2.0 Implicit Grant flow allows an application to obtain access tokens directly, without an authorization code exchange step. This flow is not suitable when storing sensitive information on the client side, such as Client Secret. Unlike the Authorization Code Grant, the Implicit Grant delivers the access_token immediately in the redirection URI.

Resource Owner Password Credentials Grant flow

The OAuth 2.0 Resource Owner Password Credentials (ROPC) Grant flow allows an application to obtain an access token by using the resource owner's username and password directly.

What is OpenID Connect?

OpenID Connect is an authentication standard based on OAuth 2.0. It introduces an ID token type that works alongside OAuth 2.0 access and refresh tokens. OpenID standardizes aspects that OAuth 2.0 doesn't, like scopes, endpoint discovery, and client registration.

For more information about OpenID Connect, refer to OpenID Connect standard

Workflow

The OpenID authentication flow extends the OAuth 2.0 authorization flow, introducing additional steps to authenticate the end-user and provide identity information to the client.

1. Similar to OAuth 2.0, the user initiates the process by requesting authorization from the resource owner.
2. The authorization server authenticates the end-user and returns an ID token along with the access token.
3. The ID token contains information about the end-user and the authentication event, allowing the client to verify the user's identity.