Authentication in the context of OpenID Connect?


I have a general question about OpenID Connect and authentication.

I am watching Oktane17: What the Heck is OpenIDConnect? and around the 7 minute mark Karl McGuinness is asking the rhetorical question whether OAuth 2.0 is an authentication protocol. I understand that OpenID Connect is a layer on top of OAuth 2.0 that provides authentication.He also says that resource providers are making an assumption that a person/service holds the key and therefore is the owner of the resource. But that isn’t necessarily true. And that OIDC solves this problem.

What I don’t understand is what the term authentication is expressing in this context.

In my understanding, authentication is the process or action of proving or showing something to be true, genuine, or valid. So if I go to the resource server and tell him I am Danic, than I need some sort of validation from a source that is trusted by the resource server. More concretely, I authenticate towards the identity provider by using a shared secret that only I and the identity provider knows, which validates my claim that I am who I am. The identity provider than gives me some sort of signed ticket that can be used by the resource server to verify that claim.

The way I understand OAuth is, that when I authorize a client to access a resource on my behalf, then I authenticate at the identity provider, ask the resource server to give me an authorization code (the key) so I can pass it to the client that then is able to access my data on my behalf. The authorization code is strictly tied to my identity, something the resource server knows so it can distinguish between access requests to my data and non-authorized access to someone else’s data.

Depending on the circumstances it is possible that the client does not know who authorized it or whose data it accesses. That may not be a problem at all, be inconvenient, or even cause the client to not be able to fulfill its purpose. To come back to the video, the client may assume that the token owner is the data owner, but there isn’t necessarily a reason to assume anything at all?

But in any case, the client – from my understanding – is not required to trust that whoever authorized it is the owner of the resource. That is the combined responsibility of the identity provider and the resource server.

So, what does it mean when it says, that OpenID Connect is used for authentication?

The only assumption I can make with my understanding is, that OpenID Connect gives the client a standardized protocol on how to retrieve information about the person authorizing the client to access their resources. Such as their name, email, age or whatever information the person allows the client to retrieve.

I hope you can clarify my understanding.

OpenID connect introduces an idea of id_token which includes information about an identity of beholder, where OAuth token only tells that the beholder is granted to do whatever is defined in the token.

Hence former is for authenticating, and latter for authorization.

I honestly tried to follow your line of thoughts but then you lost me in the middle :slight_smile: So can you ask your question maybe differently, if you still need some clarification