OpenID Connect (OIDC)
Categories:
2 minute read
OAuth 2.0 provides the authorization to access data, while OpenID Connect allows the client to verify the user’s identity. So, while OAuth 2.0 will enable you to read someone’s email (with their permission), OpenID Connect lets you know to who the email belongs.
An everyday use case in these environments is using OAuth 2.0 and OpenID Connect for securing microservices. Suppose you have a set of microservices deployed on AWS ECS, EKS, or Azure Kubernetes Service, and you want to ensure that only authenticated and authorized users can access these services.
Here’s how OAuth 2.0 and OpenID Connect would come into play:
When a user attempts to access a resource (e.g., a microservice), they first authenticate with an Identity Provider (IdP) - this could be AWS Cognito, Azure Active Directory, Google, or any other service that supports OpenID Connect. The IdP is responsible for verifying the user’s identity, typically by asking them to enter a username and password.
Once the user has authenticated, the IdP issues an ID token (per OpenID Connect) and an access token (per OAuth 2.0). The ID token contains information (or claims) about the user, such as their username or email address. The access token is a “key” that grants access to specific resources - in this case, the microservice.
The user (or, more accurately, the user agent, i.e., the browser or application acting on the user’s behalf) sends these tokens to the microservice as part of their request. The microservice validates the tokens, ensuring a trusted IdP signs them and that they grant access to the requested resource.
If the tokens are valid, the microservice processes the request. If not, the microservice denies the request.
This process allows you to secure your microservices using a combination of OAuth 2.0 (for authorization) and OpenID Connect (for authentication), leveraging the capabilities of modern cloud-based IdPs like AWS Cognito or Azure Active Directory. It means you can avoid the complexity and potential security risks of managing user identities and instead focus on building your core application logic.