What is OpenID Connect (OIDC)?
OpenID Connect (OIDC) is a public authentication mechanism that builds on the OAuth 2.0 standard. Primarily aimed at consumers, OIDC enables users to employ a single sign-on (SSO) feature to log into various third-party sites using their OpenID Providers (OPs) such as a digital mail service or a social media platform. This protocol authenticates user identities and grants applications or services access to their profile data and authentication context.
The main goal of OIDC is to simplify access for users by using a single set of login credentials across multiple platforms. When users attempt to access a service that utilizes OIDC, they are redirected to their respective OP for authentication. Once verified, users are seamlessly redirected back to the original service or application.
As a modern security protocol, OIDC was specifically developed to safeguard browser-based applications, APIs, and mobile apps. It efficiently transfers the responsibility of user authentication to the user’s service provider while also allowing secure third-party access to the user’s information.
How does OIDC work?
Here’s how OIDC typically works in a user authentication scenario:
User Request: When a user attempts to access a service that requires authentication, the service (known as the Relying Party or RP) redirects the user to their chosen OpenID Provider.
Authentication: The user then logs in using their OpenID credentials. If they are already logged in to the OP, this step may be skipped due to existing session cookies.
Authorization: After successful authentication, the OP asks the user if they consent to share certain information with the Relying Party. This consent is crucial for privacy and security.
Tokens Issuance: Upon receiving user consent, the OP sends an ID Token and, usually, an Access Token back to the Relying Party. The ID Token contains a JSON Web Token (JWT) which includes claims about the authentication event (such as the user’s identity and the authentication time) and may also include other user information pre-agreed upon during the setup.
User Info Endpoint: The Relying Party can use the Access Token to securely request additional information about the user from the UserInfo Endpoint provided by the OP. This is useful for fetching dynamic profile data that isn’t included in the ID Token.
Session Establishment: Once the Relying Party validates the ID Token and retrieves necessary user information, it can establish a session for the user, allowing them to use the service without further prompts for authentication.
This streamlined process not only reduces the burden of managing multiple usernames and passwords for users but also mitigates the risks associated with multiple password management. OIDC’s reliance on standard protocols and its wide adoption make it a robust and secure choice for modern identity management in web, mobile, and native applications.
Distinctions Among SAML, OAuth, and OpenID Connect
The key distinction among these standards lies in their core functionalities. OAuth 2.0 serves as an authorization framework, safeguarding specific resources like applications or data sets. In contrast, SAML and OpenID Connect (OIDC) are authentication protocols focused on establishing secure sign-on processes. Essentially, SAML and OIDC identify who the user is, while OAuth 2.0 dictates what they are permitted to access.
OpenID Connect versus OAuth
OAuth 2.0, an open standard for API authorization, outlines how an API client can acquire security tokens that delineate permissions for accessing API resources. Unlike traditional methods that require users to divulge login details to one application to access another, OAuth entrusts authorization decisions to a separate server. This server, hosting the user account, allows OAuth to provide delegated access to third-party services, ensuring the user’s credentials remain undisclosed.
The fundamental difference between OpenID Connect and OAuth is their focus: OAuth is about authorizing access to specific resources, whereas OIDC, like SAML, is geared towards authenticating users to ensure secure sign-ins.
What sets SAML apart from OIDC?
Both SAML and OIDC are robust authentication protocols designed for secure sign-on experiences, yet they cater to different needs. SAML, the older standard, is prevalent in enterprises using web applications. It is suited for browser-based environments but does not support single sign-on (SSO) for mobile devices or API access. On the other hand, OIDC, which is gaining popularity for mobile and native applications, allows API access and supports SSO across both mobile devices and web applications.
OIDC operates with public, third-party Identity Providers (IdPs) like Google, Microsoft, and Amazon, enabling users to access applications via trusted, OIDC-compatible accounts. For enterprises requiring heightened security, SAML may be preferable due to its support for multi-factor authentication and its long-standing presence in enterprise security.
While SAML offers versatility and a rich feature set, many developers favor OIDC for its simplicity and ease of integration. SAML utilizes XML tokens, whereas OIDC employs JSON Web Tokens (JWTs), which are compact and versatile, supporting various cryptographic methods.
Further distinctions include OIDC’s user-centric approach compared to OAuth 2.0’s resource-centric focus. Additionally, while both SAML and OIDC facilitate access to browser-based applications, only OIDC extends this support to mobile devices and APIs, offering a broader application scope.
OpenID Connect in .NET Core
While using many libraries providede by Microsoft and Community we can connect to a lot of projects running OpenID Connect, the benefit of using .NET Core is using its custom framework for utilising OpenID Connect. There are 2 main frameworks:
IdentityServer4: This is a popular framework that allows you to implement both OpenID Connect and OAuth 2.0 protocols. It’s highly extensible and can act as a central identity provider or federate to external providers. Ideal for applications that need complex security requirements.
Duende IdentityServer: This is the next generation of IdentityServer4, developed by the same team but under a new company (Duende Software). It offers enhanced performance and security features. Duende IdentityServer operates under a commercial license, making it suitable for enterprise environments requiring professional support and additional features.
In the next couple of articles we will be focusing on Duende IdentityServer.