Reference Information Summary for Learning the Difference Between OpenID Connect and OAuth 2.0

Tadashi Shigeoka ·  Tue, March 28, 2023

I’d like to share a collection of reference information I compiled for understanding the difference between OpenID Connect and OAuth 2.0.

Background: Asked About the Difference Between OpenID Connect and OAuth 2.0

When asked about the difference between OpenID Connect and OAuth 2.0, I compiled some helpful information for understanding it.

<h2>Difference Between OpenID Connect and OAuth 2.0</h2>

Here’s the response I got from ChatGPT when asking about “the difference between OpenID Connect and OAuth 2.0”:

Simply put, the main difference is that OAuth 2.0 is a framework for access authorization, while OpenID Connect is a framework for authentication. However, since OpenID Connect extends OAuth 2.0, it can provide both authentication and authorization functionality.
<h3>Main Features of OAuth 2.0:</h3>
<ol>
    <li>
        Purpose: OAuth 2.0 is a framework for third-party applications to obtain access permissions on behalf of resource owners to access resources.
    </li>
    <li>
        Authorization: Uses access tokens to grant access to specific resources. The resource owner is not used for authentication.
    </li>
    <li>
        Scope: OAuth 2.0 has scopes that define the permissions to access with the access token.
    </li>
    <li>
        Use Cases: Commonly used in social media applications and API servers for access control.
    </li>
</ol>

<h3>Main Features of OpenID Connect:</h3>
<ol>
    <li>
        Purpose: OpenID Connect is a protocol for authenticating and identifying end users. It's based on OAuth 2.0 and extends authentication functionality.
    </li>
    <li>
        Authentication: Uses ID tokens to authenticate end users. It also obtains OAuth 2.0 access tokens.
    </li>
    <li>
        Scope: In addition to OAuth 2.0 scopes, OpenID Connect requires the "openid" scope.
    </li>
    <li>
        Use Cases: Used to provide single sign-on (SSO) for applications and to retrieve end user profile information.
    </li>
</ol>

Reference Information for Learning the Difference Between OpenID Connect and OAuth 2.0

You can get a general understanding of the difference between OpenID Connect and OAuth 2.0 by reading the following articles. Share these along with the ChatGPT response above.

That’s all from the Gemba, where I explained the difference between OpenID Connect and OAuth 2.0.