IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [openid-connect]

OpenID Connect is an optional standardization of identify and profile data on top of OAuth 2.0 when OAuth is used for authentication.

194 questions
169
votes
7 answers

Difference Between OAUTH, OpenID and OPENID Connect in very simple term?

I am very confused the difficult jargon available in web about OAUTH, OpenID and OPENID Connect. Can anyone tell me the difference in simple words.
user960567
  • 2,461
  • 4
  • 16
  • 16
127
votes
7 answers

Why use OpenID Connect instead of plain OAuth2?

I just started to use OAuth 2.0 as a way to authenticate my users. It works great - I just use the identity/profile API of each provider to get a validated email address of the user. Now I read about OpenID Connect and am a little bit confused.…
rdmueller
  • 2,413
  • 3
  • 18
  • 17
38
votes
3 answers

Why isn't PKCE encouraged for Single-Page Apps?

A lot of services today still recommend the implicit flow for an OpenID Connect/Oauth2 token exchange when developing Single-Page Apps. (See Okta - now recommends PKCE w/ implicit fallback, Google, Auth0) Some newer guidance out there points towards…
someone1
  • 686
  • 1
  • 7
  • 10
37
votes
2 answers

OAuth 2 vs OpenID Connect to secure API

I am developing a Web API which will back several applications: a website, a companion mobile application(s) and possibly several third-party applications. Every application is expected to get an access token from auth server and then feed it to the…
Sergei Rogovtcev
  • 423
  • 1
  • 4
  • 8
33
votes
3 answers

When do you use OpenID vs. OpenID Connect

Can they be used together? ....or are they two separate protocols that may or may not be useful depending on the context? The reason I ask is because I'm trying to implement the following: User "Bob" goes to a Client implemented as a User-Agent…
tjb1982
  • 433
  • 1
  • 4
  • 7
30
votes
1 answer

How to do role-based authorization with OAuth2 / OpenID Connect?

I'm trying to use OAuth2 for authentication/authorization, but after much reading around, I am confused... I'm trying to understand how OAuth and OpenIDConnect relate to each other, and how exactly I can use them for authorizaton. From what I…
lv.
  • 465
  • 1
  • 5
  • 10
20
votes
2 answers

Openid connect nonce replay attack

The openid connect specification adds a nonce parameter to the authorize endpoint, which must be echoed back as a claim in the id_token. It claims that the purpose of this parameter is to prevent replay attacks and has some implementation…
user3072507
  • 301
  • 2
  • 3
20
votes
1 answer

OIDC Flow for SPA and RESTful API

I'm building a Single-Page App (SPA) and a RESTful API. The API needs security - certain users can only make calls to certain endpoints. I have an external Identity Provider (IdP (Okta)) that I want the user to authenticate with using the OpenId…
Steve
  • 313
  • 1
  • 2
  • 7
15
votes
2 answers

Purpose of nonce validation in OpenID Connect implicit flow

The OpenID Connect specification requires implicit flow clients to generate and validate a nonce: String value used to associate a Client session with an ID Token, and to mitigate replay attacks. What replay attacks are those? Put differently,…
meriton
  • 1,449
  • 1
  • 10
  • 13
12
votes
1 answer

Why can’t I use query Response Mode with id_token Response Type (“implicit” flow)?

Although I think OpenID 2.0 is a cleaner and better authentication protocol than OpenID Connect, I have to implement an OpenID Connect IdP. One point I like in OpenID 2.0 is that the IdP can return a signed identity to the Relying Party (through the…
user2233709
  • 540
  • 4
  • 12
11
votes
1 answer

Is CORS ever needed during any aspect of OAuth / OpenIDConnect Authentication?

I'm looking at OpenIDConnect authentication and trying to determine if either "simple CORS" or "complex CORS" is ever leveraged during authentication or authorization. Background A Simple CORS (with no preflight) involves: HTTP method…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
11
votes
1 answer

If I misuse OAuth 2.0 to do authentication, am I at risk?

I understand that OAuth is not an authentication protocol, but an authorization one (even if the first paragraph on Google's OAuth 2.0 page disagrees), as well as that: [...] authorization can be abused into some pseudo-authentication, on the basis…
Arseni Mourzenko
  • 4,644
  • 6
  • 20
  • 30
9
votes
1 answer

Using the authorization code grant without using cookies?

I've been reading up on this for months and it seems like the whole thing could converge on what I'm summarizing below. I'm trying to arrive at the most ideal: OAuth2 OpenID Connect SPA / Mobile Client JWT Solution that has banking level security…
Ole
  • 529
  • 5
  • 10
8
votes
4 answers

Is 'Bring your own Identity' as the only authentication option a valid practice?

This question is mainly aimed at OpenID Connect, when it is fully realized. I understand the aversion to signing in with a social networking site, but from what I understand about OIDC, its supposed to finally allow developers to simply implement…
Andrew Hoffman
  • 1,987
  • 14
  • 17
7
votes
2 answers

PKCE vs Client Secret

If I was developing a web app client that would be served statically, I would need to either use the implicit grant flow (which is no longer advisable) or use the authorization code grant flow with PKCE. Given that I'm developing a web app client…
Daniel Rearden
  • 171
  • 1
  • 5
1
2 3
12 13