Privacy glossary

OIDC

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

What is OIDC?

OIDC (OpenID Connect) is an alternative login protocol where the service or application uses a third-party service to authenticate the user. OIDC is also used for single sign-on (SSO) applications that allow a user to log in once to access multiple, related applications. For the user, OIDC can provide better security while making the login process simpler. It can also support the services and applications that offer OIDC to users by shifting some security responsibility and coding efforts to the third-party authenticator.

OIDC can enhance online security for an individual by reducing the number of logins needed. Having fewer sets of login criteria can translate to better password habits and login information stored on fewer databases, which in turn can reduce the risks associated with data breaches. Having fewer logins to keep track of can also improve the overall online experience.

Companies will often offer third-party login as an enticement for setting up an account—using an existing login to create an account is easier than selecting a new user ID and password, so a user is more likely to create a new account. Third-party login can also reduce lost business caused by users forgetting their password to a site and leaving a full shopping cart. Single sign-on applications are generally seen as helping both users and companies—SSO can reduce the frustration and repetition of using multiple, different login flows.

What does OIDC look like?

A common OIDC use case is when you’re given the option to log into a particular service (such as a news website) using credentials from another source (such as Facebook or Google). Another common use, called single sign-on or SSO, is when a single login gives a user access to multiple services. For example, if you’re logged into Gmail in your browser, you don’t need to separately log into YouTube. Google recognizes that you’ve been authenticated through Gmail, and doesn’t ask you to prove your identity a second time. SSO is often used in work environments. An employer can contract with a third-party provider to establish a login system that allows an employee to log in once and get full access to multiple applications, like the Microsoft suite, Zoom, and a payroll interface.

How does OIDC work?

OIDC is a broad framework with different processes depending on the situation. In general, OIDC is designed to streamline logins, whether that’s to use one login to access another service, or to use a single login to simultaneously access multiple applications. What follows is a general example of an OIDC flow using Google to log into Spotify.

The involved parties

  • User: The individual that wants to log into a service.
  • Relying party: The primary service (like a Web app) the user is accessing. A relying party offers the user the feature to use a third-party login. (In our example, Spotify is the relying party.)
  • Identity provider: The third party that will process the user login and authenticate the user. (In our example, this is Google.)

The steps of an OIDC third-party login process

  • You visit the Spotify website (or open the Spotify app) and opt to log in using your Google credentials.
    • User visits a website hosted by a relying party that offers third-party login with an identity provider.
  • Spotify pings Google, and asks Google to authenticate you.
    • The relying party sends a request for authentication to the identity provider.
  • You log into Google, and agree to Google sharing basic identifying information with Spotify.
    • User is given a login screen or other prompt to log into the identity provider. The exact method for authenticating the user is up to the identity provider—it can be user ID and password, a biometric such as a fingerprint, a one-time passcode sent via text, or any combination of these.
  • Google verifies that it’s you logging in and creates a token containing some information about you and details about the login. This token is sent to Spotify to confirm a successful login.
    • The identity provider validates the user and creates an identity token. The identity token contains user information like username, real name, and possibly other identifying data. The token also states the time of authentication and expiration of authentication.
  • Spotify receives the identity token, confirms that the token came from Google, and grants you access to Spotify’s content.
    • The relying party receives the identity token, and verifies that all is in order and that the token came from the correct source. If the authentication process was deemed successful, the user is given access to the relying party’s content.

OIDC vs. OAuth

Both OIDC and OAuth are intended to simplify the process of getting online access to a site, app, or service. While OIDC is built on the OAuth framework, OIDC serves a different purpose than the original purpose of OAuth. The main difference between OIDC and OAuth is authentication vs. authorization. OIDC helps an entity authenticate an individual—that is, to verify a person is who they claim to be. An OIDC process results in an identity token that contains verification status of the user authentication, and possibly some information about the user.

The core purpose of OAuth is to facilitate the transfer of an individual’s data from one entity to another. An OAuth process results in an access token that contains details about what data can be accessed, and what permissions the accessing party has regarding that data. Examples of OAuth in action include sharing your address book from Gmail with LinkedIn in order to find connections, or allowing an unrelated app to post an update on your Facebook page.

Security and privacy risks with OIDC and OAuth

OAuth and OIDC both offer improved security. The benefit to using a third-party login (i.e. OIDC) when it’s available is that it reduces the number of logins you need to keep track of, which in turn can translate to improved security habits (such as using strong, unique passwords). OAuth protocols result in not having to share credentials among services, and less exposure to data breaches; they also give the individual more refined control of how others use their data.

But as with any advancements in security, the risks also evolve in response. With OIDC, hackers can trick an individual into using a fake third-party login screen in order to collect a user’s ID and password. This is why it’s important to use second factor authentication to detect and prevent these phishing attempts. With regard to privacy, using a third-party login gives Google or Facebook more data to collect on your activity, since they can use it to monitor your use of the apps and websites you’re logging into and how frequently you visit them. (This is why Brave has Google Sign-in Permission.)

With the OAuth process, hackers with stolen login credentials can inject a false URL into the process, diverting access tokens intended for the client to the hackers’ websites. The hackers are then able to use the hijacked tokens to illegally access a user’s data.

Ready for a better Internet?

Brave’s easy-to-use browser blocks ads by default, making the Web faster, safer, and less cluttered for people all over the world.