Understanding OAuth, OpenID and JWT made easy

In this article, let's understand Authentication and Authorization and explore in detail about OAuth, OpenID and JWT - how they work.

Introduction

Authentication and Authorization are two terms used interchangeably in the context of Identity management, but serve two different purposes.

What is Authentication?

Authentication means validating the existence of a user against a system. It is the process of confirming the identity of a user or entity.

It involves presenting credentials, such as passwords or biometric data, to verify the claimed identity. Authentication ensures that only authorized individuals can access protected resources, enhancing security and protecting sensitive information.

As a part of Authentication, User provides unique credentials to the system, which has stored them before.

The system checks for the credentials given by the user against its own stored record and checks for a match. If the credentials match with the record, it means the user is the expected one and is said to be Authenticated.

Each system maintains its own ways to authenticate an incoming user, some use the traditional Username/Email Password combination, some use OTP (One Time Password) based authentication while few go for biometrics (fingerprint, iris etc.) to verify.

What is Authorization?

Authorization comes after Authentication.

It means verifying whether the user is permitted to use a resource in a system by means of any secret information and granted access.

It is the process of granting or denying access rights to a user or entity after successful authentication.

It determines what actions or resources a user is allowed to access based on their permissions and privileges.

By implementing authorization mechanisms, organizations can enforce restrictions, maintain data privacy, and prevent unauthorized users from accessing sensitive information or performing certain actions.

Authentication happens before Authorization, and Authorization requires Authentication.

difference between authentication & authorization

AuthenticationAuthorization
Authentication is verifying the identity of a user or entity, that they are who they claim to be.Authorization is granting or denying access rights to a user or entity based on their authenticated identity
verification is done via credentials like usernames, passwords, or biometric information. the access levels or permissions that an authenticated user should have is determined based on their role, privileges, or permissions assigned.
Authentication occurs before AuthorizationAuthorization happens after a User Identity is Authenticated

What is OAuth?

OAuth is a protocol which explains how a user should be authorized by a system. It was principally developed for Authorization but is generic to implement for larger purposes like API management and others.

OAuth stands for Open Authorization. It is built strictly for Access Authorization.

OAuth is an open standard protocol that allows users to grant limited access to their protected resources (such as social media profiles or online accounts) to third-party applications without sharing their credentials.

It enables secure and delegated authorization, ensuring that users maintain control over their data while granting permissions to trusted applications.

OAuth is widely used in various scenarios, including social login integrations and API access management.

How does OAuth work?

To explain the OAuth flow, let’s take an example of an application MyNinja.com which needs to access data of a User from Google, which is the data provider.

The entire flow in OAuth happens as follows.

User wants the application MyNinja.com to access data from another application Google which holds his data. In this case, Google is the Data Provider or DP

  1. MyNinja.com redirects User to Google.
  2. Google prompts the user to validate himself against Google backend.
  3. User enters his credentials in Google – User Authentication.
  4. Google prompts a screen to User asking his permission to let MyNinja.com access his data from Google. It is called a Consent screen. User grants permission.
  5. Google redirects to MyNinja.com with an access information (a token) which holds the key to the user’s data in Google.
  6. MyNinja.com requests data from Google by means of a REST API, along with the token of the user.
  7. Google validates the token and returns data to MyNinja.com.

OAuth is now succeeded by OAuth2 which adds more features and tries to unify the user’s authorization mechanism among all the auth providers (IDP). Popular Social Login Providers such as Google, Facebook use this to provide delegated logins to applications.

Properties of OAuth Protocol

  1. OAuth is strictly an authorization protocol, although generic in implementation.
  2. This protocol was brought in to bring in uniformity among the identity providers (IDPs) available in the market.

    Previously these providers had different implementations of authorization among one another, and the resultant access information was also bit different in each provider.

    OAuth solves these issues by defining guidelines of authorization should happen and what should be returned.
  3. Although OAuth defines the process, the token specification was not made. This means that the OAuth token can be of different formats, structures and crypto signatures for each IDP.
  4. An OAuth token doesn’t necessarily contain any user information, although non-application-specific information like userId or objectId can be passed.

What is OpenID?

OpenID is used for authenticating a user against a backend.

OpenID stands for Open Identity.

It is an authentication protocol built on top of OAuth2 protocol that enables users to authenticate themselves to multiple websites or applications using a single set of credentials via signed JSON Web Tokens (JWT).

It simplifies the authentication process for users by eliminating the need to remember separate usernames and passwords for different services.

With OpenID, users can securely and conveniently access multiple platforms while reducing the risk of password-related vulnerabilities.

It has three versions –

  • OpenID
  • OpenID 2 and
  • The latest, OpenID Connect (OIDC)

How does OpenID authentication work?

Let’s take an example of an application MyNinja.com which needs to authenticate a user using his credentials from Google.

The authentication flow in this case can happen using OpenID as follows.

  1. The application MyNinja.com provides him with three provider options to Identity: Google, Twitter or Facebook. User clicks on Google.
  2. The application MyNinja.com redirects users to Google, which shows a login screen.
  3. Users enter his credentials and the credentials are validated against Google.
  4. On success, Google redirects back to MyNinja.com with a special token (authentication).
  5. MyNinja.com receives the token and reads the information, validates against its own userstore and loads the user profile available within its system.

Mobile and web applications delegate their user identity management to available third-party identity providers through third-party logins, such as social logins.

In these scenarios, the identity providers return a special token which contains user information necessary for the applications to authenticate the user in question.

Properties of OpenID Connect

  1. OpenID Connect (the latest version of OpenID after OpenID and OpenId2) is written on top of the OAuth2 protocol with authentication in mind.
  2. This protocol helps in integration of User Identities across different application platforms for a single sign on (SSO) experience.
  3. It defines the token to be returned as an ID TOKEN in contrast to the ACCESS TOKEN issued by OAuth2.
  4. To help keep in compliance with the OAuth2 protocol, OpenID also returns an ACCESS TOKEN and a REFRESH TOKEN which can be used to reissue access token when the previous token expires.
  5. ID TOKEN contains data about the user in question apart from other information, which doesn’t require another request for information access.

The specification defines how information needs to be passed via the following properties –

  • sub – unique user identifier
  • iss – the identity provider or issuer of token
  • aud – the client application registered under the provider for which the token was intended to

Difference between oauth and openid

OAuthOpenID
focuses on delegated authorization, allowing users to grant access to their resources to third-party applications without sharing their credentialsfocuses on enabling users to authenticate themselves across multiple websites or applications using a single set of credentials
Deals with Authorization and access controlFocuses solely on Authentication
Utilizes ACCESS TOKEN to grant authorization to resources.Uses ID TOKEN to provide information about the authenticated user.
Used in scenarios where a user grants access to their resources to third-party applications, such as social media integrations and API access management.Used in single sign-on (SSO) solutions, where users can authenticate themselves across multiple websites or applications seamlessly
OAuth has multiple versions and specifications available such as OAuth 1.0a and OAuth 2.0OpenID Connect is built on top of OAuth 2.0 and extends it to provide authentication capabilities, creating a comprehensive identity framework

What is JWT (JSON Web Tokens)?

The JSON Web Tokens or JWT are defined by the standard as follows:

JWT is a compact url-safe means of representing claims to be transferred between two parties. The claims in a JWT is a JSON (JavaScript Object Notation) Object that is used as the payload of a JSON Web Signature (JWS) or a plain text of JSON Web Encryption (JWE) structure enabling claims to be digitally signed or MACed or encrypted.

It is a compact, self-contained method for securely transmitting information between parties as a JSON object.

It consists of three parts: a header, a payload, and a signature.

  • Header contains information about the type of token and the algorithm being used to encrypt
  • Payload contains the claim information in the form of an encrypted JSON object
  • Signature is an offset attached which contains a verified signature for token integrity

JWTs are widely used for stateless authentication and authorization, as the token itself carries the necessary information, reducing the need for server-side storage and enabling scalability and easy integration in various applications and systems.

JWTs are used in OpenID Connect authentication flows, while most of the popular Identity Providers have moved on to use JWT format for Authorization token formats as well.

OAuth and OpenID are protocols, while JWT is an encrypted string used for securely transmitting information between the Provider and the Relying Party.

Limitations of JWT

  1. Token Size – JWT size increases as the information they carry increases. This can cause additional network overhead when we pass the token for every request.
  2. Revocation – Once a JWT is issued, it cannot be revoked until it expires, If one wants a token to be revoked for whatever reason, it is quite challenging.
  3. Changing Claims – Since JWT carries roles information as claims, in cases when the user roles change dynamically over the time or need a quick refresh, we need to issue fresh tokens or wait until the token expires.
  4. Token Storage – It is recommended not to put sensitive information in JWT as it increases the risk of security attacks and storage requirements on the client.
  5. Fine-Grained Authorization – JWT supports passing user role information and some basic authorization information. If we need additional authorization requirements or fine-grained access, JWT may not be sufficient.

Conclusion – JWT vs OAuth vs OpenID

OAuth, OpenID, and JWT are powerful tools for enhancing API security.

OAuth enables delegated authorization, allowing users to grant controlled access to their resources without sharing credentials. OAuth is widely used in social media login integrations and API access management.

OpenID is an authentication protocol built on top of OAuth. It simplifies authentication by providing a single sign-on solution across multiple websites or applications. It helps reduce password fatigue and enhance user experience.

JWT, on the other hand, offers a compact and secure method for transmitting information between parties. It enables stateless authentication and authorization by securely storing claims within the token.

By leveraging these technologies, developers can establish secure and seamless API interactions while protecting user data.

Implementing OAuth, OpenID, and JWT empowers organizations to bolster their API security, enhance user experience, and build trust in their digital ecosystems.


Buy Me A Coffee

Found this article helpful? Please consider supporting!

Ram
Ram

I'm a full-stack developer and a software enthusiast who likes to play around with cloud and tech stack out of curiosity. You can connect with me on Medium, Twitter or LinkedIn.

2 Comments

  1. Thank you! This article of yours is the best explain, clarification and differentiation of the three things OAuth, OpenID and JWT I’ve ever read!

Leave a Reply

Your email address will not be published. Required fields are marked *