OAuth vs OIDC - How to determine which to use?

I currently have OAuth set up, but I was going to implement nonce, only to realize it doesn’t support nonce. OIDC does support nonce, and seems to be overall the more secure option, as mentioned by the API docs. Does OAuth have any advantage over OIDC? How do I know which to use for my project?

Both support state and can be used as a nonce field. I think OIDC only includes a “second field” to be inline with OIDC libraries.

At time of writing both OAuth and OIDC will return an oAuth token.
OIDC returns a JWT, and provides a userinfo endpoint which isn’t rate limited like helix is.

I used a mixture of both on my products.

If I’m just logging the user into a website and doing nothing else, then I’ll OIDC, usually with their email too. And I’ll ignore/discard the oAuth token.

  • oAuth is for “offline access to an account”, the user left/navigated away your website/tool, and you need to still access thei account
  • OIDC is for “login to website/tool” for a short while since the JWT that represents the user is only valid for a short while and can’t be refreshed, so you only do stuff whilst the use is actually using your tool and when they leave/navigate away, you don’t retain their auth credentials

Some usage examples:

So forum/websites logins, OIDC (with email scope).
Basic website with login, OIDC
Tools for sub alerts/notifications, oAuth (scopes as needed).

You’re the man Barry! I love how helpful you are on so many threads, and I appreciate your thorough and thoughtful response. Thank you :smiley:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.