OAuth 2.0, OpenID Connect, and WebAuthn

From PiRho Knowledgebase
Revision as of 05:34, 20 April 2026 by Dex (talk | contribs) (Created page with "= OAuth 2.0, OpenID Connect, and WebAuthn = == How Modern Authentication and Authorization Actually Fit Together == '''Summary:''' OAuth 2.0, OpenID Connect (OIDC), and WebAuthn are often discussed together, but they solve fundamentally different problems. Confusion arises when they are treated as competing technologies rather than complementary layers. This article explains how OAuth 2.0 handles authorization, how OIDC adds identity and authentication semantics, and...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

OAuth 2.0, OpenID Connect, and WebAuthn

How Modern Authentication and Authorization Actually Fit Together

Summary: OAuth 2.0, OpenID Connect (OIDC), and WebAuthn are often discussed together, but they solve fundamentally different problems. Confusion arises when they are treated as competing technologies rather than complementary layers. This article explains how OAuth 2.0 handles authorization, how OIDC adds identity and authentication semantics, and where FIDO2 / WebAuthn fits cleanly as a modern, phishing-resistant authentication method within that stack.


Context

Modern systems rarely authenticate users directly. Instead, authentication, identity, and authorization are intentionally split across components:

  • Applications no longer want to handle passwords
  • APIs need scoped access without user credentials
  • Authentication strength needs to vary by context and risk
  • Passwordless and phishing-resistant mechanisms are now practical

OAuth 2.0, OIDC, and WebAuthn exist because no single mechanism solves all of these concerns cleanly.


OAuth 2.0: Delegated Authorization

OAuth 2.0 is not an authentication protocol. It is a framework for delegating access to resources.

In simple terms:

“This application may do these specific things on my behalf.”

Core OAuth Concepts

  • Resource Owner – the user
  • Client – the application requesting access
  • Authorization Server – issues tokens
  • Resource Server – the API being accessed

OAuth introduces access tokens that are time-limited, scope-bound, and revocable.


OpenID Connect: Adding Identity

OpenID Connect (OIDC) is a thin identity layer built on OAuth 2.0.

OAuth answers:

“What is this client allowed to access?”

OIDC answers:

“Who authenticated, how, and when?”

What OIDC Adds

  • ID Tokens (JWTs)
  • Standard identity claims (sub, iss, aud, exp)
  • Authentication semantics
  • Profile and assurance signalling

OIDC standardises login without redefining OAuth itself.


Authentication Remains Abstract

Neither OAuth nor OIDC defines how authentication occurs.

They do not mandate:

  • Passwords
  • OTPs
  • Biometrics
  • Hardware keys

They only require that authentication has succeeded before tokens are issued.


WebAuthn: Authentication, Not Identity

WebAuthn is a cryptographic authentication mechanism providing:

  • Public-key authentication
  • Origin binding
  • Phishing resistance
  • No shared secrets

It does not provide identity federation, tokens, or scopes.

WebAuthn replaces passwords and weak MFA factors within the authentication step.


Layered Architecture

[ Authentication Methods ]
    - Password
    - OTP
    - WebAuthn (FIDO2)

[ Identity Layer ]
    - OpenID Connect

[ Authorization Layer ]
    - OAuth 2.0

[ Applications / APIs ]

This separation allows authentication methods to evolve without breaking applications or APIs.


WebAuthn Inside OAuth / OIDC

In modern systems, WebAuthn appears as just another authentication method.

Typical flow:

  1. User initiates login
  2. WebAuthn challenge is performed
  3. Assertion is verified
  4. OIDC ID Token is issued
  5. OAuth access tokens are minted

Applications remain unaware of the underlying authentication method.


Signalling Authentication Strength

OIDC supports claims that describe authentication context:

  • amr – Authentication Methods Reference
  • acr – Authentication Context Class Reference

Example:

"amr": ["fido"]

This enables step-up authentication and policy-driven enforcement.


Why This Matters

When authentication, identity, and authorization are properly separated:

  • Passwordless login becomes trivial
  • Strong MFA can be enforced selectively
  • APIs remain decoupled from identity mechanics
  • Security improves without rewriting applications

Conclusion

OAuth 2.0, OpenID Connect, and WebAuthn are not competing technologies.

They are deliberately orthogonal layers that, when combined correctly, produce systems that are safer, simpler, and easier to evolve.