When we started writing the core functionality of Auth0, we had to decide which authentication protocols we were going to support. Back then, there were WS-Federation, SAML, and OAuth2. This last one was being widely adopted by companies like Facebook, Google, Microsoft, etc.
The key advantages of OAuth2 are its simplicity (compared to SAML for example), and the wide availability of libraries already written in different languages and platforms. However, OAuth2 is not an authentication protocol. We started looking at options for our defualt authentication protocol and we've found OpenID Connect which was promising to do exactly what we envisioned was needed.
I was fortunate to be personally involved from the beginning. My main concern always being, keeping things as simple as possible. Many thanks to Mike Jones for inviting me to join the working group!
So what it's OpenID Connect?
The OpenId Connect core spec is OAuth2 + JSON Web Tokens. Of course it has more than that (session management, dynamic client registration and others), but the core is simple. By having a signed token we can validate that the user is being authenticated to the right application coming from the right identity provider (avoiding the confused deputy problem). That token can also be used to flow the identity of the user to an API, very useful in native mobile and single page applications, as we touched on our Cookies vs. Tokens article.
JWT popularity is growing every day. Here are some Open Source libraries yuo can use to get started:
- ASP.NET Web Api
- ASP.NET (Owin)