OIDC Intgeration
OIDC Stands for OpenId Connect.It is a protocol which is made on top of OAuth for Authentication of a user.It means that OpenID is used along with OAuth for Authorization as well as Authentication of a user.All of the popular Single Sign On methods that we know today support OpenId like Google,Microsoft,Okta etc..
What is it?
- A Protocol for Authentication
- Gives an Auth Token.
- Used for Third Party Provider for Authentication of the User.
- Returns a JWT Token containing the details of the User.
What is it not?
- It is Not A PROVIDER for Single Sign ON.
- Not An API.
How does it work?
When a user wants to authenticate with a third-party provider, they are redirected to the provider's login page. The user then enters their credentials, and the provider returns an ID token to the application. The ID token contains information about the user, such as their name and email address, and is digitally signed to prevent tampering. The application can then use this ID token to authenticate the user.
Advantages of OIDC
Standardized: OIDC is a widely adopted standard for authentication and authorization, which means that it's supported by many providers and libraries.
Secure: OIDC uses JSON Web Tokens (JWTs) to convey user information, which are digitally signed to prevent tampering.
Versatile: OIDC supports many different types of authentication, including multi-factor authentication and social logins.
Drawbacks of OIDC
Complexity: OIDC can be complex to implement, especially if you need to support multiple providers and handle the various edge cases that can arise.
Security concerns: Because OIDC relies on third-party providers for authentication, there is always a risk of security vulnerabilities or data breaches.
Google Identity Platform
Google Identity Platform is a service offered by Google that provides authentication and authorization for web and mobile applications. It's designed to provide a secure and scalable solution for managing user identities.
How does it work?
Google Identity Platform uses OAuth 2.0 and OpenID Connect to authenticate users with third-party providers such as Google, Facebook, and Apple. When a user logs in with a third-party provider, Google Identity Platform returns an ID token that the application can use to authenticate the user.
Advantages of Google Identity Platform
Scalable: Google Identity Platform is designed to handle a large number of users and can scale with your application.
Customizable: Google Identity Platform is highly customizable
How can we implement it in our Situation?
In our Situation all the login procedure is handled by Firebase. Firebase is an Identity provider but it also acts as a mediator between the client app and the other identity providers like google, Facebook etc.
When we use Single Sign on with Google we authenticate with google and give our Access Token as well as identity Token to Firebase ,After that Firebase creates a user account using these tokens.
Using these tokens Firebase gets our credential information and provides all the identity related information like email name etc.
Similarly we have multiple identity providers in firebase like Github, Microsoft, Facebook, Twitter.Use of Firebase makes handling these providers easy.
But what if we don't have our specific Provider listed in firebase then…
In such a case ,Firebase has provided us a Method for OIDC Login.In this type of login we can configure a Third-Party Identity OIDC Provider which is not provided implicitly by Firebase.
So For example Suppose we are using Okta as a login provider
You can see in the above picture that Okta is not listed by firebase but at the right hand side we can see an option for OIDC.
Using this option a custom Login Provider can be configured for Our Application.
We need these three fields for configuration of a Provider.
- Client ID
- Issuer (URL)
- Client secret
All of these things will be provided by the identity Provider which can be configured with firebase.
After these configurations,you will get one call back url for your firebase app which has to be configured in the provider.
In this way firebase will communicate with the provider and once you authenticate,Firebase will on your behalf get the tokens and provide you will the user identity.
In Laymen terms,Firebase is like OIDC Client and Okta ,Google etc are OIDC Provider.Our app is like a consumer which will use Firebase services.
In Backend:
From the front-end app we can get the provider name using Firebase Package.This Provider name is then sent to the backend along with the JWT token by our RPC calls.
Known Problems.
There is only one known problem for now.Firebase doesn't group user accounts according to their provider.Suppose you have two OIDC Configs, Both will treated only as OIDC.As we have said earlier that OIDC in itself is not a provider just a Protocol.It becomes hard to find from which provider some user has logged in.
How does Firebase Authentication and OIDC differ?
Understanding Identity Platform
Firebase Authentication is an identity platform provided by Google's Firebase suite of services. It offers authentication, authorization, and user management features for web and mobile applications. Firebase Authentication supports a range of authentication mechanisms, including email and password, phone number, Google, Facebook, Twitter, and other popular identity providers.
Firebase Authentication also provides a set of tools for managing user authentication and authorization, including user authentication state tracking, custom user attributes, user role-based access control, and user-based security rules for Firebase Realtime Database and Cloud Firestore.
In summary, Firebase Authentication is a comprehensive identity platform that offers developers a simple way to integrate authentication and authorization functionality into their applications. Its features and services make it easier for developers to manage user identities, secure user data, and provide a seamless authentication experience for users.
Understanding OIDC and how using it with Firebase Authentication leverages best of both worlds
OpenID Connect (OIDC) and identity platforms serve different purposes, but they are closely related and can complement each other in some scenarios.
OpenID Connect is a protocol that provides authentication and identity services for web and mobile applications. It is built on top of the OAuth 2.0 framework and provides an extension to enable clients to obtain user identity information. OIDC defines a set of endpoints, data structures, and mechanisms for exchanging identity tokens and verifying user identities.
An identity platform, on the other hand, is a software solution that provides a range of services for managing user identities, authentication, authorization, and user data. It typically includes features such as user authentication, user management, and security and compliance measures.
While OIDC provides a mechanism for authenticating users and obtaining user identity information, it does not provide the additional services that an identity platform typically offers. Identity platforms provide a more comprehensive set of features for managing user identities and access controls, such as user management, security and compliance, and integration with other systems.
In practice, an identity platform can use OIDC to provide authentication and identity services, while also offering additional features that make it a more complete solution for managing user identities and access controls.
For example, an identity platform might use OIDC to authenticate users and obtain user identity information, and then use that information to manage user accounts, control access to resources, and enforce security policies.
In summary, OIDC and identity platforms are different but complementary solutions for managing user identities and access controls. OIDC provides a standardized mechanism for authenticating users and obtaining user identity information, while an identity platform provides a more comprehensive set of features for managing user identities and access controls.
