it:ad:whitepapers:oidc:home

IT:AD:Whitepapers:OIDC

Background

OAuth

OAuth 1.0 Protocol: * Is an Open Standard authorisation (as oppossed to an authentication) protocol, * to provide secure access delegation * specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. * Published as RFC 5849 * Notable use cases: Twitter * uses HTTP (does not specify HTTPS)

OAuth 2.0 Authorisation Framework: * Is an Open Standard Framework (not a protocol), * Published as RFC6749 and RFC8252 * Upon which OIDC was developed * mandates HTTPS/TLS to dispense with message signage, encryption, channel binding, client authentication. * Being loosely defined, is less likely to be naturally interoperable with other implementations. * Has been deemed inherently insecure by security experts. * Notable use cases: Google, AAD * It is referred to as an authorisation framework, as it does not return an identity token – it returns an authorisation token that authorises calls back to the Identity Server for additional information. The authorisation token does not prove that the person who has it is authenticated as the principal who authenticated themselves.

OpenID * Worked well, but had adoption problems due to being XML based, had a custom signature scheme that was hard to implement, and could not handle native applications

OIDC's key characteristics include: * Is an Open Standard protocol, * Addresses authentication; * provides a way to identify an end-user and provide basic information about the user via REST API endpoints. * Is the third pass at OpenID, this time built on top of OAuth 2.0's authorisation framework. * published as RFC 6749.

* Uses OAuth 2.0, REST, JSON, JWT * Notable users: Google, Microsoft, Amazon, SalesForce, Ping

Terms

  • OpenId:
    • Identity Selector and STS
    • Identity Provider (IP or IdP): as opposed to a Resource Provider.
  • OAuth
    • Identity Provider (IP): as opposed to a Resource Provider.
      • Resource Provider (RP):

      * OIDC:

    • OpenID Provider (OP): the OIDC specialisation of an IdP. Which was never a good name for it as it does not return an Identity ref.
    • Relying Provider (RP): the party that relies on the IdP to resolve identity (the Resource Provider).
  • /home/skysigal/public_html/data/pages/it/ad/whitepapers/oidc/home.txt
  • Last modified: 2023/11/04 02:02
  • by 127.0.0.1