How to explain OAuth & OpenID Connect to a 7-year-old? (using Analogy of hotel key card & passport)
This series is an attempt to introduce technical concepts by finding real-life examples.
Ever come across a registration process which enables login with an existing account from Google, Apple or Facebook? And it also prefills the profile details? That's OAuth & OpenID Connect at work. Let's see them with some analogies.
How is OAuth similar to a Hotel Key card?
Checking in at a hotel and getting a key card for a room would typically have the following steps-
- The receptionist verifies the guest's identity by checking some valid government identity proofs (verifying the identity is authentication). Because the receptionist trusts the issuing government/body.
- Guest and receptionists fill up some forms as a formality to keep track & the receptionist hands over the access key card to the guest.
- The identity proofs are no longer needed as the access key card is enough to get all needed access. That is, the key card is enough to Authorize the guest & authentication is no longer needed.
Such a key card has the following attributes —
- Anonymous —No personal details. Anyone in possession of the card key can access the room.
- Limited in time — The card key is valid only for the duration of the stay.
- Limited scope — The card key will work only for the specific room.
What is OAuth?
It’s an authorization protocol for securing resources using an access token.
As in the hotel check-in process, the Authentication is done just once and then an access card is issued. OAuth works on a similar principle, the user is Authenticated at a single place — the Authorization server & upon successful authentication an access token is issued (The token has the same characteristics — Anonymous, Limited in time & Limited scope).
And just like a hotel room’s lock, a secured API (or resource server) trusts the Authorization server & therefore grants access (as per the scope) to whoever has a valid token.
Anyone in possession of such an access token can perform this authorization, therefore they are called a bearer token.
What is OpenID Connect? & How is it similar to a Passport?
While visiting a foreign land, a passport provides identity to the passport holder. The foreign country trusts the issuing country that all relevant checks about the identity of the person must have been done before issuing the passport.
Another point is that usually having a passport does not grant any access within/to a foreign land because the accesses are controlled by a visa or residence permit issued by the foreign country (or treaties). However, it proves the fundamental identity of the individual to foreign authorities on which subsequent formalities can begin.
What is OpenID Connect?
It's an extension of OAuth 2.0, the difference is in the token itself, OpenID connect produces an Identity Token which has parts of user identity.
Referring to the passport example, similar to the issuing government, the identity token is issued by an Identity Provider (public identity providers include Google, Apple, Facebook, etc) after Authenticating the user.
And similar to a passport, an Identity token implies the user is registered & authenticated by the identity provider but it does not grant any access.
And just like foreign authorities can work with the identity provided by a passport to grant local access, relying applications can grant access to the identity provided by a trusted identity provider. Or it could be used to display or log some user attributes.
For example, my Medium.com account is created over my Google identity. What I’m authorized to do in Medium.com is controlled by Medium.com (Joining publications, editing stories). However, I log in to Medium.com using Google.
Most Identity providers can be configured to give both an Access token and an Identity token.
Closing notes
OAuth flows can differ depending on the type of application (with or without a browser), and trust within the environment (public or secured). However, as this series is limited to the introduction of concepts, I’m leaving links for further reading.
Credits and further clarification — OAUTH 2.0 EXPLAINED IN SIMPLE WORDS.
