01. OAuth and OpenID

-

 

OAuth and OpenID

 



01. OAuth (Think: Valet Key for Your Car)

What it is:

OAuth (Open Authorization) is all about authorization. It's a way for us to grant one application (like a photo printing service) permission to access our data in another application (like your Google Photos) without giving it your actual password for Google Photos.

 02. OpenID Connect (OIDC) (Think: Showing Your ID at a Bar)

What it is:

OpenID Connect is all about authentication. It's a layer built on top of OAuth 2.0. It allows you to use one login (like your Google or Facebook account) to sign in to other websites or apps

Key Difference

  • OAuth = About access ("Can this app use my data?")
  • OIDC = About identity ("Is this really John Doe?")

 

Real-World Use

  • Pure OAuth: Allowing a finance app to read your bank transactions
  • OIDC: Logging into that finance app using your Google account

 

Without OAuth 2.0, OIDC would not exist.

Without OIDC , OAuth 2.0 can exist.

So, we can use OAuth without OpenID. But we cannot use OpenID without OAuth.

OpenID 1.0 (2005) was a separate protocol but OpenID Connect (2014) was created to merge identity + OAuth because It didn’t handle authorization (OAuth’s job)

  

Example: Pure OAuth (No OIDC)

GET /authorize?response_type=code&client_id=123&scope=read:orders write:orders

Then Returns `access_token` JWT (, by default it is Base64 encoded) only to call APIs (no `id_token` which include user identity info).

 Example: OIDC (Requires OAuth)

GET /authorize?response_type=code&client_id=123&scope=openid email profile read:orders write:orders

Then Returns `access_token` and `id_token` JWT (`id_token` which include user identity info, by default it is Base64 encoded).

id_token: We must validate the ID token, just like we validate an access token — especially in production.

 

Sample Authorization URL

https://your-domain.auth.us-east-1.amazoncognito.com/authorize?

  response_type=token&

  client_id=abc123xyz456&

  redirect_uri=https://your-app.com/callback&

  scope=openid email profile read:profile write:settings

  • response_type=token:Requests an **access token** directly (implicit flow – for frontend apps).
  • client_id: Your app's client ID from Cognito. 
  • redirect_uri:The URI Cognito redirects to after login.                                                                       
  • scope:What you're requesting: identity info (`openid`, `email`, `profile`) + API access (`read:profile`, `write:settings`)

Sample Response (Redirected to Frontend)

https://your-app.com/callback#

  access_token=eyJraWQiOicdsadsadsaAASDFsdf // JWT, by default it is Base64 encoded

  &id_token=AAddSwfdssdfsddsfsdeyJraWQiOi  // JWT, by default it is Base64 encoded

  &expires_in=3600

  &token_type=Bearer

 

  • access_token: used to call your protected APIs (which check scopes like read:profile, etc.).
  • id_token: a JWT with user identity info (email, name, etc.) — decode this to read claims.
  • expires_in: token expiration in seconds (usually 3600 = 1 hour).

 {

  "sub": "1234567890",

  "name": "John Doe",

  "email": "john@example.com",

  "iat": 1516239022

}

Comments

Post a Comment

Popular posts from this blog

Database - Topics

-
Image
 Topics  01. Steps in SQL Query Execution 02. How does the database create a query plan 03. How Query Plan Caching Works 04. What is the need for an execution plan? 05. How Do Query/ Query Plan Execute (Inside MySQL Server) 06. Importance Of Undo Log 07. How Row Lock Is Handle When Query On The Table Row 08. Technique to recover the committed changes 09. Auditing technique 10. Query cache 11. DB connection pool 12. What is ACID? 13. Optimizing SQL queries
Read more

02. Spring – Creating spring project clone it with GIT step by step.

-
Image
  Creating spring project clone it with GIT step by step. 01. Create an empty GIT repository and select a repository name. 02.   Check to add README.md and technology to add it inside the gitignire file0- it will include all the generated class when we complete the application. 03.      Copy the github repository URL. 04 . Open eclipse and go to,             Window – Show View – Other - Type git on the folder and select git repositories. 05.   Now clone this repository at your desired location in which we are going to keep the project specific file . a)         a)  Step One.             b)  Step  Two .          c)    Step Three. Both projects are generated as bellows           d) Step Four  Open the gitingnore file and ignore the target folder of the project. All the class files which are ...
Read more

01. Steps in SQL Query Execution (MySQL)

-
Image
Steps in SQL Query Execution (MySQL) 1. Client Sends Query to Server The SQL statement is sent to the MySQL server over a connection (e.g., via JDBC or a query tool like MySQL Workbench). 2. Parser / Syntax Check The parser checks the SQL syntax.If there are any syntax errors, it throws an error immediately. 3. Pre-processor Verifies privileges and permissions for the user executing the query. Resolves object names (like table or column aliases). 4. Query Optimization The optimizer evaluates multiple strategies to execute the query. It considers: Which indexes to use. Join order (for multi-table queries). Whether to use temporary tables. Cost of different execution paths. The optimizer chooses select the most efficient query plan (Cost effective -> memory, CPU etc). 5. Query Execution Plan (Most cost effective query plan) The query plan is a blueprint of how MySQL will fetch the data. You can view this with the EXPLAIN keyword in front of your query. 6. Query Execution The storage e...
Read more