I introduced you to OAuth 2.0 and OAuth 2.0 is just a framework related to Authorization, that is, it only defines what resources a Client Application can use, in the access token, so that when requesting to the Resource Server, Resource Server will base on the access token to decide whether to allow Client Application access to the resource or not?
But talking about security, you may know, we also have authentication and OpenID Connect is an extension of OAuth 2.0 introduced to add this authentication. Using OpenID Connect, the content of the access token that the Client Application uses to request to the Resource Server will include information about the user granting access to these resources.
In OpenID Connect, the Authorization Server is called the Identity Provider. Identity Provider will take care of authentication and authorization functions.
The access token is issued by an Identity Provider as I said, will contain information of the authenticated user, this information is called Identity Token or ID token for short.
Here is the content of an access token that I decoded using the website https://jwt.io/:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
{ "exp": 1625973312, "iat": 1625973012, "jti": "57e9401f-c98b-43a3-9b5e-eb7bff182a5f", "iss": "http://localhost:8080/auth/realms/huongdanjava", "aud": "account", "sub": "8a5092fa-d815-4620-92ab-4ac87542685c", "typ": "Bearer", "azp": "angular-test", "session_state": "0e044481-02e3-4962-adaa-0683c2c26fbf", "acr": "1", "realm_access": { "roles": [ "offline_access", "uma_authorization", "default-roles-huongdanjava" ] }, "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "scope": "email profile", "email_verified": false, "name": "Khanh Nguyen", "preferred_username": "huongdanjava", "locale": "en", "given_name": "Khanh", "family_name": "Nguyen", "email": "huongdanjava.com@gmail.com" } |
The content below the claim ‘scope’, which I marked in the access token above, is the content of that ID token. You can see this is the information about the logged-in user and granted access to the Client Application. You can see the standard claims of ID tokens here.
Current open-source Identity and Access Management such as Keycloak, implement OpenID Connect, not just OAuth 2.0.