OIDC vs OAuth2fleeting
- External reference: https://hackernoon.com/demystifying-oauth-2-0-and-openid-connect-and-saml-12aa4cf9fdba
- External reference: https://www.c-sharpcorner.com/article/oauth2-0-and-openid-connect-oidc-core-concepts-what-why-how/
- External reference: https://frontegg.com/blog/oidc-vs-oauth2
OpenID Connect, commonly known as OpenID, is a specification for Single Sign-On (SSO) and authentication purposes
Open Authorization (OAuth) is an open standard authorization framework used for token-based authorization that is highly popular across the globe.
OAuth stands for Open Authorization. It’s used for delegated authorization to delegate the responsibilities of user authorization to some other service rather than managing them on its own
Authentication is who you are while authorization is what you can do.
Authorization depends on authentication but they are not interchangeable
identity layer on top of OAuth2.0. The two fundamental security concerns, authentication and API access, are combined into a single protocol called OpenID Connect.
give you an access token plus an id token.
OAuth 2.0 is a set of defined process flows for “delegated authorization”.
OpenId Connect is a set of defined process flows for “federated authentication”.
When you check in to a hotel, you present to the reception with your driving license or passport. This establishes who you are i.e. your identity. Then hotel receptionist issue you a key card that encoded with what you have access to, which will include your room access, it might also include the gym or swimming pool access too. That is your authorization. The best part is that your personal and billing information never leaves the front desk. This is OAuth.
time text https://youtu.be/IXWtx_0Fc00&t=352.8s authentication https://youtu.be/IXWtx_0Fc00&t=354.24s informs authorization and authorization https://youtu.be/IXWtx_0Fc00&t=356.96s makes the decisions not not not the https://youtu.be/IXWtx_0Fc00&t=359.68s authentication
Notes linking here
- Authentication with OAuth 2.0
- claims-based identity
- night club analogy
- using id token as access token?
- zero trust