3

So these days I was reading about OpenID and OAuth2. I've seen some questions (this and this), but from what I've read you can use OAuth and for authentication, not just for authorization. On the second question, I've read this:

If you have an account (with some private resources) in a website, you can log in with username/password couple. If an application would like to get some private resources, and if you don't want to give them your username/password, use OAuth.

But if you want to log in into multiple websites with a unique account, use OpenID.

This raised more confusions (Dominick Baier said in one of his presentation that if you haven't heared about OAuth2 these years, you were living in a cave for the last years, so it seems this was my case): If I have many webservices (API's) and if I have an STS service to request tokens for all the API's then I am using OpenID? Is OAuth is not scalable to extend the authorization to multiple sites using a single STS service?

When you try to explain me, please consider that I haven't implemented an authentication or authorization process before.

Community
  • 1
  • 1
Buda Gavril
  • 21,409
  • 40
  • 127
  • 196

1 Answers1

3

You are right: lot of authorization servers based on OAuth2 provides a way to authenticate. But OAuth2 is not designed for that purpose. In an OAuth2 context, the client has just an access token to retrieve/manage resources on a resource server. It knows nothing about the resource owner.

That is why the OpenID Connect protocol has been created. It works on top of the OAuth2 Framework protocol and allows the client to get information about the resource owner.

I recommend you to look at this very interesting talk (start at 4:44). This video helped me a lot to understand the purpose of each token. I hope it will help you too.

Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64
  • For SPA, it looks like it uses 'id_token' in place of 'access_token'. Is it true that 'id_token' is taking over in this special case for SPA? One reason is that, SPA XHR cannot talk to OAuth Token Endpoint because of CORS Policy. – Ashokan Sivapragasam Apr 24 '19 at 09:20
  • 1
    The `id_token` gives information about the user (name, id, address, phone...). The `access_token` gives access to the data owned by the user and managed by a resource server. A SPA can use both token or only one. If the SPA cannot talk to a token endpoint because of CORS policy, this is because the there is something wrong with the endpoint configuration. – Spomky-Labs Apr 24 '19 at 12:14
  • Oh, thanks! I have discussed about it in https://stackoverflow.com/questions/55827056/oauth-2-0-spa-how-does-id-token-disguise-as-an-access-token-for-accessing-re/55827801?noredirect=1#comment98321526_55827801 – Ashokan Sivapragasam Apr 24 '19 at 12:17
  • Now I understood that SPA acquires id_token for authentication and acquires access_token by calling Az Token Endpoint from iFrame for calling external Web APIs. – Ashokan Sivapragasam Apr 24 '19 at 12:19