OAuth 2.0 and OpenID Connect

Question

My question is, does implementing OAuth 2.0 authentication enables me to authenticate against an OpenID Connect provider?

For instance, Vert.x offers OAuth 2.0 authentication. If implemented will it be enough to enable authenticating against an OpenID Connect provider?

Thanks in advance.

Answer 1

In general, yes, it's enough, since OpenId Connect is an extension of OAuth 2.0 spec.

The main difference between OAuth 2.0 and OpenId Connect is that OAuth 2.0 server in the end (in the response of get-token request) sends the access_token (usually a UUID string, but can be JWT) and then the client app can use it to access the OAuth 2.0 server's (REST) API. The calls to this API are beyond the OAuth 2.0 Spec (that's why Facebook, Google and others have their own OAuth connectors).

The OpenId Connect Provider sends in the end both access_token and the id_token, the latter is being JWT and contains user data (first name, last name, email, etc.). Alternatively OpenId Connect Provider may not send the id_token but expect a call to the UserInfo Endpoint that will return the user data.

So you can take the "raw" OAuth 2.0 client and get the access_token from OpenID Connect Provider with it. Then you can take that token and run additional HTTP request to the UserInfo Endpoint, decode the data and achieve OpenId Connect functionality.

Answer 2

Yes, OpenID Connect is layered on top of / backward compatible with OAuth 2.0. Hence any OAuth 2.0 client library will be able to authenticate against an OIDC server and if desired read the user profile from the UserInfo Endpoint using a standard OAuth 2.0 access token.