In the first post, we’ll review some key concepts around OIDC and tokens, explained in human terms. In this blog series, I share a primer on OIDC. Since the specification dictates the token format, it makes it easier to work with tokens across implementations. An ID token must be JSON web token (JWT). OIDC has both access tokens and ID tokens. With OIDC, a number of specific scope names are defined that each produce different results. It supports access tokens, but the format of those tokens are not specified. For instance, it supports scopes, but scope names are not specified. OAuth 2.0 leaves a lot of details up to implementers. That’s a pretty tall order, right? With OIDC, you can use a trusted external provider to prove to a given application that you are who you say you are, without ever having to grant that application access to your credentials. Without secure, external authentication and authorization, you’d have to trust that every application, and every developer not only had your best interests and privacy in mind, but also knew how to protect your identity and was willing to keep up with security best practices. It’s too vague and has led to confusion between authentication (authn) and authorization (authz). What was wrong with OAuth 2.0? To understand better, let’s first dispense with the term, secure delegated access. And now, the holy grail of “secure delegated access” OpenID Connect (henceforth OIDC), which runs on top of OAuth 2.0.īut wait. Then, there was OAuth and OAuth 2.0 – also open as well as being a modern, RESTful approach to authorization using JSON as its medium. Then came SAML (Security Assertion Markup Language) – an open standard using XML as its message exchange type. In the beginning, there were proprietary approaches to working with external identity providers for authentication and authorization.
0 Comments
Leave a Reply. |