OpenID Connect

Notes on the OAuth-based standard for authentication and authorization

Overview

• Open standard layered on top of OAuth for identity management and single-sign-on
• Many social providers allow for authentication via this protocol
  • Facebook
  • Google
  • Amazon
  • Salesforce
• Authentication that is deeply integrated with Authorization, as permissions and profiles and such are passed through

OpenID Connect Flow (Steps)

Let’s go over what this looks like with an example application: Asana, but logging in with Google.

1. User navigates to Asana
2. User clicks Log In With Google
3. User is forwarded directly to Google’s application (no longer in Asana at all)
4. User authenticates with their Google Credentials
5. User is asked to validate that Asana should have access to some of their information from Google
   1. Based on scopes, etc…
6. User accepts and is forwarded back to Asana
   1. In the redirect, an auth code is passed back to Asana
7. Asana takes the auth code and requests a token from Google
8. Google returns back an Access Token & an ID Token
   1. ID Token is for identifying the user (authentication)
      1. Note: I’m still unsure what this is exactly used for. Where should it be stored in Asana’s DB?
   2. Access Token is for accessing Google Resources (authorization)
9. Asana uses the Access Token to query Google for User Info
10. Google responds to Asana with user information

Tags

• Development
• Technology
• Security

References

• Single-Sign-On
• OAuth
• Daily Learnings: Tue, Apr 04, 2023
• Salesforce Login Flows
• Single-Sign-On for Salesforce via OpenID Connect