Konubinix' opinionated web of thoughts

Client Get Proof of Authentication by Asking for It


authentication vs identification vs authorization

People sometimes believe that getting an Identity Token is proof of authentication.

Yet, openid connect is a user identity attribute disclosure protocol rather than an authentication protocol.

Therefore, getting a token tell nothing about who is currently playring and whether that person gives any consent to do anything. It only provide some information about that person.

The only way to get some valuably information about the person currently using per computer is redirecting per to an identity provider and asking the Identity Provider to send back the Identity Token of whoever could connect.

That means that authentication in a relying party is only done with interactive discussion with the Identity Provider.