Quiz Entry - updated: 2026.07.14
What is the relationship between OAuth 2.0 and OpenID Connect (OIDC), and what does each one actually do?
OAuth 2.0 is an authorization protocol ("what may this app do?"); OIDC is a thin authentication layer ("who is this user?") built on top of it.
They're often spoken of together, but they answer different questions:
| OAuth 2.0 | OpenID Connect (OIDC) | |
|---|---|---|
| Question | Authorization — delegated access to resources/APIs | Authentication — proving identity |
| Core artifact | Access Token (call an API on the user's behalf) | ID Token (a JWT describing who logged in) |
| Layer | base protocol | sits on top of OAuth 2.0 |
OAuth alone says "this app may read your calendar" but never cleanly says "you are Alice." OIDC adds that identity layer, which is why "Log in with Google/Apple" buttons rely on OIDC, not bare OAuth.
Tip: Memory hook — OAuth = Authorization (access), OIDC = ID (identity). The shared "auth" prefix is exactly what trips people up.
Go deeper:
RFC 6749 — The OAuth 2.0 Authorization Framework — the authoritative definition of OAuth roles, grants, and endpoints.
OpenID Connect Core 1.0 — the identity layer "on top of OAuth 2.0" that adds the ID Token.
Wikipedia: OAuth — overview with the authorization-flow diagram and the OAuth-vs-OIDC distinction.