Quiz Entry - updated: 2026.07.14
What is the difference between OAuth and OIDC?
OAuth 2.0 handles authorization ("this app may access my files"); OIDC adds an identity layer on top for authentication ("prove who I am"), as in "Sign in with Google".
OAuth 2.0 = Authorization (what you can do) OIDC (OpenID Connect) = Authentication (who you are)
| Protocol | Purpose | Token | Use Case |
|---|---|---|---|
| OAuth 2.0 | Grant permissions | Access token | "App can read my files" |
| OIDC | Verify identity | ID token + Access token | "Login with Google" |
Key insight: OIDC is built on top of OAuth 2.0. It adds an identity layer.
Real examples:
- OAuth only: "Allow Canva to access my Google Drive files" (no login, just permission)
- OIDC: "Sign in with Google" (verifies your identity)
Memory aid:
- OAuth = Other apps Authorized to access your stuff
- OIDC = Open ID = Identity verification
Go deeper:
RFC 6749 — OAuth 2.0 Authorization Framework — grounds the "authorization, not authentication" distinction in the primary source.
OpenID Connect (Wikipedia) — the identity layer built on top of OAuth 2.0 and how the ID token proves who you are.