oauth vs oidc: What are the differences?

Introduction:
OAuth 2.0 and OpenID Connect (OIDC) are both authentication and authorization protocols used for secure user authentication in web applications. While both serve similar purposes, they have some key differences that distinguish them from each other.

1. **Protocol Scope**: OAuth 2.0 focuses on authorization, allowing a user to grant a third-party application access to their resources without sharing their credentials. On the other hand, OIDC is an identity layer built on top of OAuth 2.0, providing a standardized way for applications to verify the identity of users based on authentication performed by an authorization server.

2. **Token Types**: OAuth 2.0 primarily deals with access tokens, which are used by clients to access protected resources on behalf of the resource owner. In contrast, OIDC introduces ID tokens, JWTs (JSON Web Tokens) containing identity information about the user, in addition to access tokens. These ID tokens help in verifying the user's identity to the client application.

3. **End User Authentication**: OAuth 2.0 does not define how the end-user authentication should be performed, leaving it up to the individual implementations. In OIDC, the authentication process is clearly defined using standardized endpoints and flows, ensuring secure and consistent authentication mechanisms across applications.

4. **User Information**: While OAuth 2.0 does not provide a standard way for clients to retrieve user information, OIDC includes an UserInfo endpoint that allows clients to fetch additional information about the authenticated user, such as their profile data, email address, etc.

5. **Support for Single Sign-On (SSO)**: OIDC inherently supports Single Sign-On (SSO) capabilities, where a user can log in once and access multiple applications without the need to reauthenticate. OAuth 2.0, in its basic form, does not provide SSO functionalities, requiring users to authenticate separately for each application.

6. **Compliance and Security**: OIDC includes additional security features such as signed ID tokens, session management, and logout functionality, making it more suitable for scenarios where security and compliance requirements are critical. OAuth 2.0, while secure when implemented correctly, may not offer the same level of compliance out of the box.

In Summary, OAuth 2.0 primarily focuses on authorization, while OpenID Connect extends OAuth 2.0 to provide authentication and identity verification, offering standardized user information retrieval, user authentication processes, and enhanced security features.