is a framework built on top of OAuth 2.0 where a third-party application can obtain a user's identity information which is managed by a service.

OpenID 1.0 and OpenID 2.0 are old specifications for authentication. Those who made the specifications expected people to use OpenID for authentication. However, some people began to use OAuth 2.0 for authentication (not for authorization) and OAuth authentication has prevailed rapidly.

From a viewpoint of OpenID guys, authentication based on OAuth was not secure enough, but they had to admit that people preferred OAuth authentication. As a result, OpenID guys decided to define a new specification, OpenID Connect, on top of OAuth 2.0.

Yes, this has made people much more confused.

Vocabulary

OAuth2 auth protocol#vocabulary

• identity provider: authorization server that supports OIDC. Provides information about the resource owner.

flow

the flow is the same as OAuth but in the intial request a specific Scope=OpenID is used. This lets the authorization server know that that will be an OIDC exchange.
On the last steps where client sends back authorization code (alongside clientId and client secret), the server responds with both an access token AND an Id token

there is also a standard way where a client can req additional identity info from the authorization server using an access token.

Resources

• https://stackoverflow.com/questions/33702826/oauth-authorization-vs-authentication
• https://www.youtube.com/watch?v=t18YB3xDfXI