OAuth 2.0 and OpenID Connect Protocols
💡 Quick Tip
Key: OAuth is for authorization (permissions), OpenID is for authentication (identity).
The Need for Federated Identity
In the modern Internet, users don't want to create a new account for every website. The OAuth 2.0 and OpenID Connect (OIDC) protocols allow a user to identify themselves using a trusted provider (like Google or GitHub) without handing over their password to the destination site.
OAuth 2.0: The Authorization Framework
OAuth 2.0 is an authorization framework. It allows an application to obtain limited access to a user's resources on another service through Access Tokens.
- Resource Owner: The user.
- Client: The web requesting access.
- Authorization Server: The provider.
OpenID Connect (OIDC): The Identity Layer
OIDC was created as a layer on top of OAuth 2.0 to manage authentication. It introduces the ID Token, a structured object (usually a JWT - JSON Web Token) containing user information (name, email, photo).
Anatomy of a JWT
A JWT consists of three parts: Header, Payload, and Signature. The signature is the most critical technical part, as it allows the receiver to verify the token's authenticity without constantly querying the provider.
📊 Practical Example
Real-World Scenario: Implementing "Login with Google" in an App
Step 1: Developer Console Registration. Obtain a Client ID and Client Secret. Configure the Redirect URI.
Step 2: Redirection. Send the user to the Google URL with necessary "scopes" (openid, email).
Step 3: Code Exchange. After user approval, Google returns an "Authorization Code". Your server exchanges this code for tokens via a back-channel request.
Step 4: ID Token Validation. Verify the JWT signature using Google's public key. Extract the email to create the user session. You never see their password, reducing technical and legal liability.
