OAuth2 and OpenID Connect are often mentioned together, and many developers assume they solve the same problem.
In reality, they serve different purposes.
Understanding the difference is essential when designing authentication and authorization systems.
What OAuth2 Actually Is
OAuth2 is an authorization framework.
It allows an application to access resources on behalf of a user without sharing the user's credentials.
Instead of sending a username and password to every service, the client receives an access token issued by an Authorization Server.
That token can then be used to request resources from a Resource Server.
Example scenario:
A user allows a third-party application to access their data stored in another service.
OAuth2 enables this delegation securely.
Why OAuth2 Is Not Authentication
A common misconception is that OAuth2 is used for authentication.
OAuth2 does not tell an application who the user is.
It only answers the question:
Is this client allowed to access this resource?
An access token proves that the client has permission, but it does not provide reliable identity information about the user.
Because of this limitation, OAuth2 alone is not sufficient for authentication.
What OpenID Connect Adds
OpenID Connect (OIDC) is a layer built on top of OAuth2.
It adds the missing piece: authentication.
OIDC introduces a new token type called the ID Token.
The ID Token contains identity information about the authenticated user, such as:
- User identifier
- Issuer
- Authentication time
- Token expiration
This allows the client application to confirm who the user is.
In other words:
| Technology | Purpose |
|---|---|
| OAuth2 | Authorization |
| OpenID Connect | Authentication |
ID Token vs Access Token
Understanding the difference between these two tokens is important.
Access Token
Used to access protected resources.
Example:
GET /api/user-data
Authorization: Bearer access_token
The resource server validates the token and returns the requested data.
ID Token
Used to identify the authenticated user.
The client application can inspect the token to obtain identity information.
Typical fields in an ID Token include:
-
sub(user identifier) -
iss(issuer) -
aud(audience) -
exp(expiration time)
ID Tokens are commonly implemented as JWT tokens.
Real Example Flow
A simplified OpenID Connect flow looks like this:
- The user attempts to log in to an application.
- The application redirects the user to an Authorization Server.
- The user authenticates (login, MFA, etc.).
- The Authorization Server issues:
- an Access Token
- an ID Token
- The application uses the ID Token to identify the user.
- The Access Token is used to request data from APIs.
Conclusion
OAuth2 and OpenID Connect work together but serve different roles.
OAuth2 provides authorization.
OpenID Connect provides authentication by adding identity information on top of OAuth2.
Understanding this distinction helps developers design secure and scalable authentication systems.
If you want to understand the different OAuth2 flows in detail, you can read my previous article:
Understanding OAuth2 Grant Types
https://dev.to/dkforge/understanding-oauth2-grant-types-50p8
Top comments (0)