Why use OpenID Connect instead of plain OAuth2?

OpenID connect will give you an access token plus an id token. The id token is a JWT and contains information about the authenticated user. It is signed by the identity provider and can be read and verified without accessing the identity provider.

In addition, OpenID connect standardizes quite a couple things that oauth2 leaves up to choice. for instance scopes, endpoint discovery, and dynamic registration of clients.

This makes it easier to write code that lets the user choose between multiple identity providers.


OAuth provides only and should only provides authorization using an access token. OpenID connect is built on OAuth 2 in order to provide user authentication information. However, it will not provide you a more robust implementation than OAuth (since it uses OAuth and add some extra interactions with a OpenID provider).

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. OpenID Connect Core 1.0 - draft 17

OpenID connect provides you a "standard" way to obtain user identity. If you use OAuth and the API, you should adapt your request for each resource, which may not always provide the same information or may change over the time. And conceptually, you use OAuth to be allowed to use an API, not to authenticate an user.

As background, the OAuth 2.0 Authorization Framework [RFC6749] and OAuth 2.0 Bearer Token Usage [RFC6750] specifications provide a general framework for third-party applications to obtain and use limited access to HTTP resources. They define mechanisms to obtain and use Access Tokens to access resources but do not define standard methods to provide identity information. Notably, without profiling OAuth 2.0, it is incapable of providing information about the authentication of an End-User. OpenID Connect Core 1.0 - draft 17

Note that OpenID connect provides an id_token with some information about the user. However, if you want the whole set of information, you still need the access_token to request the OpenID provider to get the userinfo (which confused me the first time I saw it). That shows that requesting user information from an API or from the OpenID provider use almost the same method. See 5.3.1. userinfo request in the draft.


OAuth is an authorisation protocol, providing a way to give authorisation to access a protected resource. A by-product of the authorisation process is that the user is authenticated.

Technically, OAuth does not have to give you any information about the user. What it provides is a validation that the user has given authority to the application to access some data. This is governed by the scope of the authorisation grant.

OpenID Connect provides a way for the application to retrieve information about the authenticated user. Most importantly it provides a level of assurance that the information is valid (as far as the authorisation server is concerned anyway). This can then be used to facilitate identity federation.

In the past, federation was achieved with OAuth by granting a scope that allowed access to the user's identity information. OpenID Connect standardises that scope.