OAuth2.0 without OIDC (Plain OAuth2.0)

As far as I understand, applications that we can login with our different accounts use OpenID Connect(A profile of OAuth2.0).

OAuth is for Authorization and OIDC is for authentication(It has ID Token-User Info Endpoint).

  • So, was it not possible to login to an application from another application account using OAuth before OIDC? (If possible, how?)

  • If plain OAuth can’t be used for authentication, what is/was it used for?
    I mean what does it do with ‘authorization’ exactly?
    What does it get from the resource service with the access token?

Hi @htnc ,

There are a handful of reasons that OIDC and OAuth are separate protocols. As you mentioned, the main difference is they both address two separate (but still intertwined) use cases - authentication and authorization. The following might help with understanding the difference:

Okta lets you request either an ID token (OIDC), an access token (OAuth), or both. This is done by setting the response_type parameter in your request to /authorize

1 Like