About OIDC terminology

[kg0r0]

The OIDC terminology specifically states that it is an authorization_code grant type, but I think this is incorrect. https://github.com/IDPros/bok/blob/ac21ecd6f8541f1d1b4f7e34924b7d1ab9b25807/terminology.md?plain=1#L673-L674 For example, the issuance of an ID token by "response_type=id_token" is not related to "authorization_code grant type". https://openid.net/specs/openid-connect-core-1_0.html#id_tokenExample

I apologize if my perception is wrong.

[patricklunney]

It can probably just be updated to "OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner."

[patricklunney]

Or: "OpenID Connect is an authentication and authorization framework built on top of OAuth2.0. It was created to allow not only to authorize clients to obtain information but also includes the ability for clients to obtain information about the user after the user is authenticated." I actually prefer this one.

[kg0r0]

Thanks for the confirmation. The later explanation looks better to me as well. In the short description, the exact usage of the terms OAuth and OIDC is complicated, as sometimes the following:

• Client / Relying Party (RP)
• Authorization Server / OpenID Provider (OP)
• Resource Owner / End-User

[hlflanagan]

Catching up on old issues - this article and associated terminology were updated in v2. See https://bok.idpro.org/article/id/62/