1

I can't understand difference between OAuth authorization_code grant and OIDC authorization_code flow. For me it seems that this grant and flow are the same. If that's true, why use OIDC? If not, then when to use OIDC and OAuth? I have read a lot of blogs and questions on various forums, but I still can't understand it.

Szyszka947
  • 473
  • 2
  • 5
  • 21
  • Does this answer your question? [What's the difference between OpenID and OAuth?](https://stackoverflow.com/questions/1087031/whats-the-difference-between-openid-and-oauth) – Ron van der Heijden Mar 28 '22 at 16:49
  • Ok, now I'm feel more confused. I don't know if I understand it correctly, but when using client_credentials I am using OAuth and when using authorization_code I am using Open Id Connect? So why does the OAuth protocol in the documentation contain a authorization_code grant? – Szyszka947 Mar 28 '22 at 17:13
  • 1
    OIDC is a supetset of OAuth2. All OIDC are also OAuth2 flows; not all OAuth2 flows involve OIDC. You don't pick one or the other; if you're using OIDC, you're also using OAuth2 at the same time. – user229044 Mar 28 '22 at 19:09

1 Answers1

2

You are right, the terminology between OAuth and OpenID Connect are sometimes confusing.

The flow is the same, OpenID Connect is only an extra layer on top of OAuth.

When you use OAuth, you receive an access_token, which grants you access to a resource server. The access_token proves authorization. So the resource server has no idea who you are, only that you may access resources.

When you use OpenID Connect, and provide the openid scope when requesting the authorization code, you receive an extra token, the id_token.

This id_token is a signed JWT token which holds the identity of the user. Optionally you can add more scopes for more claims in your id_token. The id_token proves authentication.

Also, if you support OpenID Connect, but the client does not provide the openid scope, you don't receive an id_token but only the OAuth tokens.

So the flows are identical, only difference is the id_token.

Ron van der Heijden
  • 14,803
  • 7
  • 58
  • 82