OAuth 2.0 vs OpenID Connect: What's the Difference?
OAuth 2.0 and OpenID Connect are constantly confused, and using the wrong one creates real security holes. The short version: OAuth is for authorization, OIDC is for authentication.
OAuth 2.0 is about access, not identity
OAuth 2.0 lets an application get delegated access to resources on a user's behalf, for example "let this app read my calendar." It issues access tokens scoped to permissions. Crucially, OAuth was never designed to tell you who the user is, and using an access token as proof of login is a classic mistake.
OpenID Connect adds identity
OIDC is a thin layer on top of OAuth 2.0 that adds an ID token (a signed JWT) describing the authenticated user and a standard userinfo endpoint. When you need to log a user in, you want OIDC.
A simple rule
- "Log this user in" → OIDC.
- "Let this app act on the user's resources" → OAuth 2.0.
- Securing machine-to-machine or AI agents? See non-human identity and our authorization category.
Where to start
Read the OAuth 2.0 and OIDC implementation guide, and the related SAML vs OIDC comparison.
Frequently asked questions
- What is the difference between OAuth and OIDC?
- OAuth 2.0 is an authorization framework for granting access to resources. OpenID Connect, or OIDC, is an identity layer built on top of OAuth that adds authentication and user identity through an ID token.
- Can you use OAuth for login?
- OAuth alone is designed for authorization, not authentication. OIDC was created to handle login correctly on top of OAuth.
- What is an ID token?
- An ID token is a signed token issued by OIDC that conveys who the user is, distinct from the OAuth access token used to call APIs.