interview

home / developersection / interviews / what is the difference between oauth and openid connect?

Ask Question
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

1 Answers

ICSM Computer

ICSM Computer

08-Jun-2025

The difference between OAuth 2.0 and OpenID Connect (OIDC) lies in purpose:

Protocol Purpose Use Case
OAuth 2.0 Authorization (access control) "Can this app access my data?"
OpenID Connect Authentication (user identity) "Who is this user?"

OAuth 2.0: Authorization Framework

  • Goal: Allow a third-party app to access a resource on behalf of a user.
  • Does NOT identify who the user is.
  • Returns: Access Token (for accessing APIs).
  • Use Case: Grant app access to your Google Drive files without sharing password.

Example:

A fitness app wants access to your Fitbit data (but doesn't need your email or who you are).

OpenID Connect (OIDC): Identity Layer on Top of OAuth 2.0

  • Built on top of OAuth 2.0.
  • Adds authentication capabilities.
  • Returns: ID Token (JWT format), plus access token.
  • Use Case: Let users log in to your app with Google, Microsoft, etc.

Example:

Your app lets users log in with their Google account → you get who the user is (email, name, etc.).

Technical Differences

Feature OAuth 2.0 OpenID Connect
Primary Purpose Authorization Authentication + Authorization
Token Types Access Token Access Token + ID Token (JWT)
User Info Not provided Provided via userinfo endpoint
Standard Login Flow Not defined Well-defined login process
Token Validation App-defined JWT signature validation supported
Scopes e.g., read, write Includes openid, profile, email

Example: Login with Google

If you just use OAuth 2.0, you'll get an access token for calling APIs (e.g., Google Calendar API), but you won't know who the user is.

If you use OpenID Connect, you'll also get:

  • id_token: contains user identity info (email, sub, name, etc.)
  • Access to a userinfo endpoint for more user claims

Summary

  • Use OAuth 2.0 if you only need to authorize access to APIs.
  • Use OpenID Connect if you want to log in users and get their identity.
advertising
advertising

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy