Much to everyone's disappointment, OAuth 2.0 is not an authentication protocol. Instead, it is a protocol for protecting resources, where that resource is an API, and allowing a client application to access it on the owner's behalf. It is an authorization protocol. Better still, it is a delegation protocol.
Over the years a lot of people have tried to turn OAuth into an authentication protocol or bend the protocol to their will, which is why we have so many different providers, each with their own implementation depending on their view on the universe. Unsurprisingly if you look at the list of top OAuth providers it is eerily similar to the list of organisations who have been hacked in recent years. Creating your own authentication protocol is no simple task...
OpenID Connect 1.0 extends the OAuth protocol and introduces a new protected resource type: identity. This allows you to provide authentication whilst still using OAuth, but doing so based on a set of specifications, extensions and defined endpoints, allowing us to use authentication securely and with minimal effort for the consumer. It also opens up the possibility of combined authentication and authorisation in one round trip.
OpenID Connect defines a standard token type of JSON Web Token (JWT), something that OAuth never did, instead only stating that what an access token is, leaving others to decide on the implementation; again not an easy task. This defined token allows for simple interoperability; one OpenID Connect library which can connect to any arbitrary provider and opens up new token validation options, thanks to the structured style of a JWT.
It also defines an identity token, a dedicated token type used for authentication that describes the user authenticating with the system.
Other features that have now been standardised are cryptography policies (defined and widely accepted security for tokens) and token validation (a process that OAuth never explicitly told the developer how to implement).
For further reading check out the endpoints available with OpenID Connect, or the grant types it supports. Or, if you're keen to get started, check out OpenID Connect frameworks such as IdentityServer or oidc-provider.Sources
- The problem with OAuth for Authentication. - John Bradley article on OAuth and Authentication
- Unifying Authentication & Delegated API Access for Mobile, Web and the Desktop with OpenID Connect and OAuth2 - Dominick Baier's talk from NDC London 2014. Good introduction to the issues with OAuth2 and the benfits of OpenID Connect
- OpenID Connect 1.0