S
M
T
W
T
F
S
Published on November 22, 2023

Oauth 2.0 + OIDC Authentication

Sharing data between services in the past requires username and password authentication. Once authenticated, the client service will have full access to all the user’s data on the server. This is no longer considered the best practice for exposing username and password credentials, along with the lack of control over how much data to share.

Oauth 2.0 is an authorization framework that leverages OpenID Connect (OIDC) for authentication. Resource sharing using Oauth 2.0 usually includes three or more parties, the resource owner, resource server, and resource client. Although not required, the resource server can also take on the role of an authorization server.

The resource-sharing process starts with the resource owner requesting resources via the resource client. The client will invoke the authentication flow with the authorization server (the resource server in this case). This redirects the user to the authorization server where they are presented with a login page. The owner can review what resource is being shared upon successful authentication. Once the owner grants the permission, the authentication server will issue an auth token, which the client will use to request an access token. The client can now access resources on the server within the defined scope using the access token.

Some other notable features of Oauth 2.0 include the ability for the owner to revoke or set expiration date on the access token.

Sequence Diagram

oidc-oauth2-sequence-diagram

Access TokenAPI AuthenticationAuthenticationOAuth 2.0SSOTechToken-Based Authentication