One of the very fundamental questions in user authentication / authorisation was the difference between OAuth2 and OpenID Connect (OIDC). A lot of people said OAuth was an authorisation framework which didn’t explicitly define how the users were authenticated. En…OK but not sure how many people know exactly what it means? In this study, I will try to explain it in a way everyone can understand.
The URL below shows what a typical Azure B2C login looks like:
https://digicap1.b2clogin.com/digicap1.onmicrosoft.com/oauth2/v2.0/authorize?
p=B2C_1_digicap-signinandsignup&
client_id={client_id}&
redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&
scope=openid&
response_type=code&
prompt=login
digicap1 is the instance name of my Azure B2C. The response_type (“code”) suggests we are using the Authentication Code grant flow. Just in case you don’t already know…
The authorisation code is a temporary code that the client will exchange for an access token.
…it is the most secure way to pass the token back to the application, reducing the risk of the token leaking to someone else
https://www.oauth.com/oauth2-servers/server-side-apps/authorization-code/
The access token is encrypted. The backend knows what it’s saying but the frontend or the app never got the chance to know who the user is until OIDC comes to rescue. Switching over to OIDC is dead easy. Take a look at the login below:
https://digicap1.b2clogin.com/digicap1.onmicrosoft.com/oauth2/v2.0/authorize?
p=B2C_1_digicap-signinandsignup&
client_id={client_id}&
nonce=defaultNonce&
redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&
scope=openid&
response_type=code+id_token&
prompt=login
The added value to response_type is id_token. It means we are following an OIDC workflow, which returns an ID token as well as a classic OAuth2 authnetication code workflow.
An ID token is a form of security token that your app receives from the Azure AD B2C
/authorizeand/tokeendpoints.ID tokens are represented as JWTs, and they contain claims that you can use to identify users in your app.
https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-tokens
Now let’s take a look at the request body. It doesn’t matter whether it’s OAuth or OIDC. The way Azure B2C passes back the tokens or the authentication codes is the same: after the user enters usename and password, B2C will send a redirect request (HTTP status code 302) to the browser to take the user back to the app with the tokens or / and the authentication code embedded in the request body or in the query string depends on the value of response_mode.
code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..
OAuth2 redirect request body
There’re the other types of OAuth2 workflow, for example, the implicit workflow passes back the access token directly. No authentication code required!
OIDC returns both authentication code and the ID token, e.g.
id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrNHh5b2pORnVtMW…
OIDC redirect request body
code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ…
The ID token is not encrypted because it’s designed to be easily accessible to the apps. GenerallyOAuth2 gives you access to protected backend resources. OIDC let you know who the user is.
Simple, right?
Top Cloud Solutions 