cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iluom
Contributor II

How will OpenID connect help you in securing APIs?

 

Hi 

 

I've a decent understanding about the concept and purpose of OAuth2.0 Authorization framework.

At the end of the day, all the APIs are secured with OAuth 2.0, and we need to present an access token to talk to the API. The API service validates the access token by talking to the authorization server.

 

OAuth is about delegated authorization, whereas OpenID Connect is about authentication. An ID token is an assertion about user identity. that is, a proof of user identity.

 

So, what i read from books is It can be used to authenticate into an API, but i'm not able to grasp why would you need to pass an ID token to an API? How will OpenID connect help us in securing APIs? i mean which context...

 

Can some one enlighten me ?

 

Thanks

 

 

 

Chandra Mouli, CISSP, CCSP, CSSLP
1 Reply
iluom
Contributor II

 

I got some clue for my previous query...sharing it here ..may be helpful to other who are new to OAuth and OpenId Connect

 

You can think of access tokens like cash. If you find a dollar bill on the ground and present it at a shop, the merchant will accept it. She looks at the issuer of the bill, and trusts that authority. The saleswomen doesn’t care that you found it somewhere. Access tokens are the same. The API gets the access tokens and accepts the contents of the token because it trusts the issuer (here the OAuth server). The API does not know if the client presenting the token really is the one who originally obtained it.

 

This may be a bad thing. Access tokens are helpful in some cases, but risky in others. Where some sort of proof that the client is the one to who the token was issued for, here come OpenID Connect plug-in to OAuth which issues ID tokens can be used for authentication of the user.

 

ID tokens are like a credit card. If you find my credit card on the street and try to use it at a shop, the merchant will (hopefully) ask for some form of ID or a PIN that unlocks the card. This extra credential assures the merchant that the one presenting the credit card is the one to whom it was issued. So If the API requires this sort of proof, we will need ID tokens. 

 

 

Chandra Mouli, CISSP, CCSP, CSSLP