OpenId - authenticate users with single-sign on
Aug 10, 2021
“OpenID Connect is an authentication standard built on top of OAuth 2.0. It adds an additional token called an ID token. OpenID Connect also standardizes areas that OAuth 2.0 leaves up to choice, such as scopes, endpoint discovery, and dynamic registration of clients. Okta is OpenID Certified”definition from okta developer site
OpenID provider, end user, relying party and ID token
Just to clarify the terms:
- OpenID provider — The authorization server that issues the ID token. (Okta for example).
- end user — Whose information is contained in the ID token
- claim is a piece of information about the end user
- relying party — The client application that requests the ID token
- ID token - is issued by the OpenID Provider and contains information about the end user in the form of claims
OpenID Connect flow
The OpenID Connect flow looks the same as OAuth. The only differences are, in the initial request, a specific scope of openId is used, and in the final exchange the Client receives both an Access Token and an ID Token.
SAML2 vs JWT part 3 has good diagram to illustrate the flow. I recommend to read other parts of the blog (links below)
Couple good references: