The OpenID Connect Protocol
This is a write down of the OpenID Connect protocol as if the messages were exchanged over instant messaging.
The OpenID Connect Protocol is built on top of OAuth 2.0 to add authentication and profile information. Instead (or in addition to) of giving an access token back, it provides back an IdToken (the equivalent of a badge with the user's information).
The user then switches to a different group chat / tab to chat with their IDP:
Here is an example of what an IdToken looks like in real life:
If you Base64 decode this, you get a header:
"name": "Sam Goto",
And a signature.
With the IdToken, the user sends that back to the relying party:
This is a large oversimplification, but should give you a sense of the kinda of privacy property it has.
Specifically, the IDP is involved at every step of the way, from sign-up to sign-in. It is aware of:
- which relying party the user is signing-in to
- at which moment the user is signing in
Notably, the browser / user agent is mostly unaware of what's going on here: it is never invoked.