OAuth 2.0 vs OpenID Connect (OIDC)

What is the difference between OAuth 2.0 and OpenID Connect (OIDC), and why should we use OIDC for authentication instead of just OAuth?

Think of it this way: OAuth 2.0 is like a key card that lets you into specific rooms in a hotel, while OpenID Connect is like a passport that actually proves who you are.

OAuth 2.0 (Open Authorization)

This is like a "Key Card", for Authorization. OAuth was designed for Authorization. It’s about giving a third-party app permission to do something on your behalf without giving them your password.

Imagine you download a third party app and its asking for permission for your camera and you gave them permission but not your password for your account

The problem is OAuth tells the app that "someone" gave it permission, but it doesn't actually tell the app who that person is. It’s great for sharing data, but terrible for proving identity.

OpenID Connect (OIDC)

This is like a "Passport", for Authentication. OIDC is a thin layer that sits on top of OAuth 2.0. It was created because developers were trying to use OAuth for logins, which is like trying to use a library card as a birth certificate—it sort of works, but it's not secure or standardized.

Imagine you download some kind of app and its ask for login and asking you email and set a password for app. So that it knows who you are exactly unlike someone giving you permission.

OIDC adds an ID Token to the mix. This token contains information about the user (like your name, email, and profile picture). It turns OAuth (which handles what you can do) into a system that also handles who you are.

The Main Differences

Using "raw" OAuth for logins is a bit like a bouncer letting you into a club just because you have a VIP pass, without checking if the name on the pass is actually yours.

In short: OAuth is for access; OIDC is for identity. If you want users to "Log In," you need OIDC.