identity: data about who you are to tell you apart from everyone else
authentication: proving your identity
authorization: giving permission to do something
1.2 The protocols: OAuth 2.0 and OpenID Connect
The OAuth 2.0 protocol is for authorization, not authentication, and assumes an already existing way to authenticate users. It’s mainly for giving a service or application permission to do something on your behalf.
The OpenID Connect (OIDC) protocol is for authenticating yourself to one service or application by using a third party service. This allows one authentication service (or identity provider) be used for any number of other services or applications. Further, since the identity provider can keep a login session open independently of the other services and applications, this provides a single sign-on experience.
1.3 Entities involved in the protocols
The protocols involves the following entities:
the end user, who is trying to do something; also the resource owner
the web browser, used by the user; might be a mobile or command line application instead of a browser per se
the application, which the user uses to do things, and as part of that access resources
the resource provider, where the resources are, and which allows access to them via a web API
the identity provider (IDP), which authenticates the user
2 OIDC protocol
This augments the plain OIDC with cookies:
an app cookie set by the application to tie a user and their session together: this lets the application store data about the user and what they’re doing between HTTP requests
a login cookie set by the IDP to remember this user has a valid login session
2.1 Successful resource access by a logged-out user
2.2 Successful resource access by a logged-in user
2.3 Successful request when an access cookie has expired