OAuth 2.0 vs OIDC

OAuth 2.0 vs OIDC

Blog Post 6

Welcome to the 6th article in our #100daysofapisecurity series.

In the mid-2000s, the booming digital landscape faced a challenge. Users managed a multitude of passwords for different online services, and the risky practice of sharing credentials directly with third-party apps was widespread. Enter OAuth, a beacon in this chaos, which by 2010 matured into OAuth 2.0. This protocol aimed to standardize how third-party applications access user data, eliminating the need to expose user passwords.

However OAuth 2.0, despite its groundbreaking approach to authorization, lacked a robust means of user authentication. Recognizing this void, OpenID Connect (OIDC) emerged. Developed on top of OAuth 2.0, OIDC aimed to not only define "what" a third-party application could access but also authenticate "who" was accessing it.

Let's compare the internet to a huge digital city. In this city, OAuth 2.0 equips third-party applications with 'access passes' to specific buildings (services). Users, possessing rights over spaces in these structures, can permit third-party access to particular rooms (resources) without giving up their primary key (password).

Taking a real-world approach, solutions like Google OAuth 2.0 allow third-party applications to tap into services like Google Drive, and Facebook Login uses OAuth 2.0 to facilitate third-party access to user data without compromising credentials.

Building on our city analogy, OAuth 2.0's role is to allow entry into specific buildings. In contrast, OIDC is the attentive security personnel inside, validating your identity. It's similar to ensuring you are the legitimate holder of an access pass.

Modern solutions have capitalized on the strengths of OIDC. Auth0, for instance, offers customizable authentication experiences, while Okta stands out as a favoured Identity and Access Management tool, leveraging OIDC for seamless user authentications.

As with any protocol, OAuth 2.0 and OIDC have their vulnerabilities. In OAuth 2.0, there's a danger of token hijacking. Just as a malicious entity might duplicate a concert ticket for unauthorized access, a hacker intercepting OAuth 2.0 tokens could gain unauthorized data access. A strong defence involves encrypted communication via HTTPS and the use of token binding. OIDC isn't exempt from threats either. Token substitution attacks stand out, wherein an attacker replaces a user's ID token, deceiving the system about their identity. Guarding against this involves rigorous ID token validation and ensuring contextual token usage.

Leveraging OAuth 2.0 and OIDC in APIs

The essence of an API's role lies in its ability to facilitate interactions and data exchanges between different systems securely. As explained OAuth 2.0, at its heart, addresses the question: How can one system access the resources of another on behalf of a user without exposing that user's credentials? APIs harness this protocol to ensure third-party applications can interact with them without compromising the integrity of the user's sensitive data.

To visualize, imagine a user attempting to connect their calendar application to a third-party scheduling app. The API, empowered by OAuth 2.0, allows this third-party app to access the user's calendar data without ever revealing the user's login credentials. Instead, tokens are used to represent these access permissions, creating a protective layer between user data and potential threats.

This "tokenized" system is the backbone of OAuth 2.0, where an application requests access, the user grants permission, and the application receives a token, eliminating the need to directly handle user credentials. This approach fundamentally reshapes how APIs ensure both user data protection and smooth third-party integrations.

While OAuth 2.0 focuses on authorization, OIDC, developed on top of OAuth 2.0, brings in an additional layer: authentication. It answers another pressing question: Beyond allowing access, how can we verify the identity of the entity seeking it?

When APIs integrate OIDC, they're empowered with an identity verification mechanism. Using our earlier example, while OAuth 2.0 ensures the scheduling app can access the calendar data, OIDC verifies that the person using the scheduling app is indeed who they claim to be. OIDC achieves this by introducing the ID token, a secure token containing claims about the user's identity. This is a JSON Web Token (JWT), meaning it consists of a set of claims or assertions about the user. These claims can include the user's name, email, roles, and more.

Key Steps in Implementation

Implementing OAuth 2.0 and OIDC in APIs isn't a difficult task, especially with the range of tools and services available today. Here's a high-level overview of the process:

  1. Identity Provider Selection: Before diving into integration, it's vital to choose a reliable Identity Provider (IdP), such as Auth0, Okta, or Azure AD. These platforms offer the necessary infrastructure and support to streamline the implementation of both protocols.

  2. Token Utilization: Once integrated, any application interacting with the API will need to obtain and use tokens. For OAuth 2.0, this means receiving an access token after user permission and then utilizing this token for API requests. With OIDC, an additional ID token is received, offering insights into user identity.

  3. Audits and Security Enhancements: Security is not a one-time thing. Post-implementation, regular security audits should be conducted to ensure compliance with evolving standards, to identify potential vulnerabilities, and to ensure the API remains protected against emerging threats.