preface
For example, there IS an authentication server IS in OIDC. User U submits the user name and password (or other ways to confirm his identity) on IS to complete the registration of user U who wants to use a service provided by SP, Therefore, after U logs in through the IS login page with SP information,IS replies with U’s id openID to SP, and SP knows whether the visiting user IS U. The ID in OIDC IS contained in ID_token, which IS in JWT format. The ID_token IS obtained by encrypting the OpenID and other contents with the private key in IS. The id_token IS sent under the public key to each SP, and each SP uses the public key to decrypt the ID_token to confirm the identity of U
OAUTH2 has an authentication server IS, and user U has submitted the user name and password (or other ways to confirm his identity) on IS to complete the registration. IS also has U’s mobile phone number or other information. User U wants to use a service provided by SP, and SP wants to get U’s mobile phone number from IS. Therefore, after U logs in through the IS login page with SP information,IS informs SP of the information that U wants to obtain when U logs in. After U agrees,IS issues an access_token related to the permission to obtain information to SP. When SP wants to obtain information about U, it can ask IS for the access_token. In this way, SP can avoid knowing the login user name and password of U in IS, and SP can also obtain information within the scope of authorization. Of course, SP can also get THE openID of U from IS after obtaining the token. The access_token can be a string of meaningless characters or a JWT with information.
OAuth2 and OpenID Connect
app oauth2 (PKCE)
reference
- Blackheart – Authentication & Authorization
- blackheart-OIDC in Action
- Ganro – Read SSO, OAuth 2.0, OpenID Connect
- Github-servicecomb-fence Micro service authentication and authentication support
- Ali Cloud -API gateway -OpenID Connect authentication
- Tony Xu blog – PKCE authorization pattern for OAuth2.0 protocol for clients