OWASP
Update: Authentication Cheat Sheet – Improve language about OAuth and OIDC
What is missing or needs to be updated?
The sections about OAuth 2 and OpenID Connect contain unclear definitions about OAuth 2 and OpenID Connect:
- Plain OAuth 2 is no authentication protocol. The authorization server may authenticate a user, but OAuth itself specifies no way to communicate this to the client.
- OpenID is misspelled as "OpenId".
- The name "OpenID" is ambiguous. It is the name of a standards developing organization and also part of many standard’s names.
How should this be resolved?
- improve definition of OAuth (RFC 6749, Video: OAuth 2.0 Master Class by Justin Richer)
- replace all occurrences of "OpenId" with "OpenID Connect 1.0" or "OIDC" (and define the abbreviation on first use "OpenID Connect 1.0 (OIDC)"
- explain that OIDC is a extension of OAuth 2 and what OIDC does
I support this clarification 100%. I'm sorry it passed review. We take PRs, would you care to submit one for us?
This clarification is very important. the current wording can easily confuse developers about the difference between OAuth 2.0 and OpenID Connect.
In addition to the proposed fixes, it may also help to:
Clearly distinguish roles - emphasize that OAuth 2.0 is an authorization framework, while OIDC is an authentication layer built on top of it.
Provide references - link to RFC 6749 (OAuth 2.0) and OpenID Connect Core 1.0 specification, so readers can explore the standards directly.
Add a visual - a simple diagram showing where OAuth 2.0 ends and where OIDC extends it could make the explanation clearer.
Consistent terminology - ensure “OpenID Connect 1.0 (OIDC)” is introduced once, then use “OIDC” throughout.
I’d be glad to help review or draft the updated section if we decide on the approach.
