OAuth2.0 without OIDC (Plain OAuth2.0)

htnc · August 2, 2021, 12:37pm

As far as I understand, applications that we can login with our different accounts use OpenID Connect(A profile of OAuth2.0).

OAuth is for Authorization and OIDC is for authentication(It has ID Token-User Info Endpoint).

So, was it not possible to login to an application from another application account using OAuth before OIDC? (If possible, how?)
If plain OAuth can’t be used for authentication, what is/was it used for?
I mean what does it do with ‘authorization’ exactly?
What does it get from the resource service with the access token?

marcusi · August 2, 2021, 6:19pm

Hi @htnc ,

There are a handful of reasons that OIDC and OAuth are separate protocols. As you mentioned, the main difference is they both address two separate (but still intertwined) use cases - authentication and authorization. The following might help with understanding the difference:

OAuth 2.0 and OpenID Connect Overview

Okta lets you request either an ID token (OIDC), an access token (OAuth), or both. This is done by setting the response_type parameter in your request to /authorize