It is quite possible to use the OAuth 2.0 framework as the basis for building an authentication and identity protocol.
To use OAuth 2.0 as the basis of an authentication protocol, you will need to do at least a few things.
- Define an endpoint to return attributes about a user
- Define one or more scopes that the third-party applications can use to request identity information from the user
- Define additional error codes and the necessary extension parameters for the scenarios you’ll encounter when dealing with authentication and identity, such as when to re-prompt for the user’s credentials based on session timeouts, or how to allow the user to select a new account when signing in to an application
Typically when a single provider attempts to add things to OAuth 2.0 to create an authentication and identity protocol, this results in another snowflake API with varying degrees of security. OpenID Connect takes the shared knowledge gained from many different implementations and standardizes it into a protocol suitable for enterprise grade implementations.