For API security there are two standards — and both of their names start with the capital letter O. So it is no wonder, people ask all the time: What is the difference between OAuth 2 and OpenID Connect?

The OAuth standard ensures that there is no unintended leakage of information about the resource owner to the app. The app may access only specific resources with the explicit consent of the resource owner. The app does not get the resource owner’s credentials, which would be a wildcard access to all of the user’s data. By protecting the resource owner’s data, especially the personal and profile data of the resource owner, the OAuth standard can be used to ensure the privacy of the resource owner.

The strict privacy policy of OAuth is a good default setting. There are, however, cases in which the resource owner wants that the identity provider hands specific data of a resource owner, for example, the resource owner’s name or address, to a specific app, i.e. for a smooth sign-up and login experience. Of course, the access right to this information is only provided, if the resource owner explicitly consents to the delegation of the respective access rights to the app.

OpenID Connect standardizes how apps can access the attributes of the resource owner via a token and via a RESTful API and how this data is structured and organized. OpenID Connect extends the authorization code flow, introduces new tokens and standardizes some endpoints. OpenID Connect is a solution that can be applied in many environments, on many devices, and with many different products. OpenID Connect is realized as an extension of OAuth, as a so-called OAuth profile. OAuth profiles are a standardized mechanism to build upon the main OAuth standard.

To understand OpenID Connect in-depth it helps to have a visualization of the Flows. In the new OpenID Connect Book, the OpenID Connect Flows are described as Sequence Diagrams. 

In the book OAuth 2.0 you can find all the standard OAuth Flows, visualized as Sequence Diagrams.

OAuth 2 vs. OpenID Connect
Tagged on:                 

Matthias Biehl

As API strategist, Matthias helps clients discover their opportunities for innovation with APIs & ecosystems and turn them into actionable digital strategies. Based on his experience in leading large-scale API initiatives in both business and technology roles, he shares best practices and provides both strategic and practical guidance. He has stayed a techie at heart and at some point, got a Ph.D. Matthias publishes a blog at api-university.com, is the author of several books on APIs, and regularly speaks at technology conferences.