As a technologist, I’ve often wondered how SAML, OAuth, and OpenID Connect differ from one another. With security and user experience being top priorities in today’s digital world, it’s crucial to understand these industry standards. In this article, I’ll explore the unique features, use cases, and integration possibilities of SAML, OAuth, and OpenID Connect.
By the end, you’ll have a comprehensive understanding of these authentication and authorization mechanisms so you can make informed decisions for your needs. Let’s dive in and unravel these fascinating standards.
Key Takeaways
- OAuth 2.0 controls authorization to a protected resource, while OpenID Connect and SAML are industry standards for federated authentication.
- OAuth 2.0 is used for granting access to third-party applications, OpenID Connect is used for authentication with popular platforms, and SAML is used for authentication in the workplace.
- OAuth 2.0 provides secure delegated access, allowing applications to access resources on behalf of the user.
- OpenID Connect enables users to sign in to multiple websites and apps without sharing credentials, while SAML enables single sign-on in enterprise environments.
History and Background
In understanding the history and background of SAML, it is important to recognize its role in simplifying federated authentication and authorization. SAML, which stands for Security Assertion Markup Language, is an industry standard used for exchanging authentication and authorization data between different systems. It was first introduced in 2001 by the Organization for the Advancement of Structured Information Standards (OASIS).
Before SAML, organizations faced challenges in managing multiple user credentials for different applications and services. SAML addressed this issue by introducing a standardized way of exchanging authentication and authorization information. It allowed organizations to implement single sign-on (SSO), where users only needed to authenticate once to access multiple applications. This greatly simplified the user experience and improved security.
SAML operates on the basis of trust between the identity provider (IdP) and the service provider (SP). When a user tries to access a service provided by the SP, the SP sends an authentication request to the IdP. The IdP then verifies the user’s identity and generates an authentication assertion, which is sent back to the SP. Based on this assertion, the SP grants or denies the user access to the requested service.
SAML has been widely adopted in enterprise environments for its ability to provide secure and seamless access to multiple applications. However, with the emergence of newer standards like OAuth and OpenID Connect, the landscape has become more complex. In the next section, we will explore the differences between SAML, OAuth, and OpenID Connect to better understand their respective roles in authentication and authorization.
What’s the Difference Between OAuth, OpenID Connect, and SAML?
OAuth, OpenID Connect, and SAML are all standards used in the authentication and authorization processes, but they serve different purposes. OAuth 2.0 focuses on granting access to protected resources for third-party applications without sharing user credentials. OpenID Connect is used for user authentication and allows users to sign in to multiple websites without sharing their login credentials. SAML, on the other hand, is commonly used in enterprise environments for single sign-on and accessing multiple applications with a single login.
The Differences Between Standards
I have learned that there are significant differences between OAuth, OpenID Connect, and SAML in terms of their authentication and authorization capabilities. OAuth 2.0 focuses on authorization and provides secure delegated access to resources, allowing applications to access user data without exposing user credentials. It is commonly used for granting access to third-party applications and APIs. On the other hand, OpenID Connect is an authentication layer built on top of OAuth 2.0. It addresses the lack of authentication in OAuth and is used for user authentication, enabling users to sign in to multiple websites and apps without sharing credentials.
Lastly, SAML (Security Assertion Markup Language) is a protocol used for authentication and authorization. It simplifies federated authentication, including single sign-on, in enterprise environments. SAML relies on an exchange of messages in XML format between the service provider and the identity provider. Overall, each protocol serves different purposes and has specific use cases in the realm of authentication and authorization.
OAuth 2.0 vs OpenID Connect vs SAML
OAuth 2.0, OpenID Connect, and SAML each address distinct aspects of authentication and authorization, and they often serve different use cases. OAuth is a framework primarily designed for authorization, allowing third-party applications to access certain resources without exposing user credentials. OpenID Connect specializes in user authentication and is often used for Single Sign-On (SSO), enabling users to log into multiple services with a single set of credentials. SAML is another SSO solution frequently used in enterprise settings, facilitating access to multiple applications through one login process.
| Feature/Use Case | OAuth 2.0 | OpenID Connect | SAML |
|---|---|---|---|
| Primary Focus | Authorization | Authentication | Authentication |
| Common Use Cases | Access delegation | Single Sign-On (SSO) | Enterprise SSO |
| Typical Implementers | Third-party apps | Popular platforms like Google, Facebook | Enterprise services like Salesforce, Workday |
| Strengths | Fine-grained access control | Identity verification | Comprehensive enterprise authentication |
| Built On | OAuth is a framework | Built on OAuth 2.0 | Independent standard |
| Open Standard | Yes | Yes | No (but widely adopted) |
| Authentication vs Authorization | Primarily Authorization | Primarily Authentication | Primarily Authentication |
While OAuth is commonly deployed where delegation of access is needed, OpenID Connect is a favorite for identity verification on platforms like Google and Facebook. SAML is usually reserved for complex enterprise environments to authenticate users for various internal services. Understanding the time and place for each—OAuth for authorization, OpenID for authentication, and SAML for enterprise-level authentication—is crucial when deciding on a security framework. Each has its unique strengths and caters to different needs, underscoring the importance of discerning between authentication vs authorization in security implementations.
Authentication Method Comparison
Comparing the authentication processes of SAML, OAuth, and OpenID Connect is vital for understanding their unique features and making informed decisions on secure user authentication. These authentication frameworks differ in their intended use cases, functionalities, and protocols they utilize.
Key Points to Consider:
- SAML (Security Assertion Markup Language):
- Focused on federated authentication, predominantly in enterprise settings.
- Uses XML-based messages, known as security assertions, for information exchange.
- Facilitates federated authentication by enabling single sign-on (SSO) through browser session cookies.
- OAuth (Open Authorization):
- Designed for secure, delegated access to APIs, applications, and devices.
- Permits applications to use user data without requiring access to user credentials.
- Often employed to grant access to third-party applications and APIs.
- OpenID Connect:
- Serves as an authentication layer, developed on top of OAuth 2.0.
- Fills the authentication gap in OAuth, making it apt for authorizing sensitive transactions.
- Utilizes JSON Web Tokens (JWTs) to maintain the integrity of access and ID tokens.
By understanding these key points, you can make a more informed choice when selecting an authentication method for your application or system. Whether you’re focusing on federated authentication within an enterprise (SAML), delegating secure access to third-party applications (OAuth), or seeking a robust method for both authentication and authorization (OpenID Connect), each standard has its own set of benefits and limitations. Be sure to assess your specific needs and security requirements when choosing among these options.
Authorization Process Comparison
When evaluating the authorization frameworks of SAML, OAuth, and OpenID Connect, it’s crucial to differentiate their distinct functionalities and applications. SAML specializes in facilitating single sign-on (SSO) across various enterprise applications and employs XML-based messages for secure authentication and authorization. OAuth 2.0 is designed for authorizing delegated access to specific resources, such as applications or files. It enables third-party applications to access these resources without needing the user’s credentials.
OpenID Connect, built on the OAuth 2.0 framework, extends its capabilities to include user authentication. This allows for seamless logins across multiple platforms, including popular consumer websites and mobile apps like Google and Facebook. The protocol uses JSON Web Tokens (JWTs) to validate both access and ID tokens, ensuring data integrity. While OAuth 2.0 is the go-to for web and mobile applications requiring third-party resource access, OpenID Connect is favored for consumer-facing platforms requiring robust user authentication. SAML remains the standard choice for enterprise-level SSO, frequently seen in corporate settings where federated authentication is a requirement.
| Feature / Protocol | SAML | OAuth 2.0 | OpenID Connect |
|---|---|---|---|
| Purpose | Federated Authentication | Delegated Authorization | User Authentication |
| Data Format | XML-based | URL-parameters, JSON | JSON Web Tokens (JWTs) |
| Common Uses | Enterprise Single Sign-On (SSO) | Third-party application/resource access | Consumer website and mobile app logins |
| Tokens | Security Assertions | Access Token, Refresh Token | Access Token, ID Token |
| Built On | – | – | OAuth 2.0 |
| Authentication vs Authorization | Both | Authorization | Both |
Each row in the table outlines a different aspect of the three protocols:
- Purpose: What the protocol is generally used for.
- Data Format: The type of data it uses for messages.
- Common Uses: Where you’re most likely to encounter each protocol.
- Tokens: The kind of tokens used by each protocol.
- Built On: What underlying technologies each protocol is built on.
- Authentication vs Authorization: Whether the protocol is used for authentication, authorization, or both.
Use Cases and Applications
OAuth 2.0 provides secure delegated access, allowing applications to access resources on behalf of the user, while OpenID Connect and SAML are industry standards for federated authentication.
- Use Case: OAuth 2.0 is commonly used for granting access to third-party applications, making it ideal for scenarios where users want to sign up for applications and grant access without sharing their credentials. It also enables applications to source new contacts from social media platforms and allows users to authorize actions or access resources on their behalf.
- Use Case: OpenID Connect is widely used for user logins on consumer websites and mobile apps. It enables users to sign in to multiple websites and apps without sharing their credentials, providing a seamless and convenient user experience. It is also commonly used for authentication with popular platforms like Google and Facebook.
- Use Case: SAML is commonly used in enterprise environments for single sign-on (SSO) and accessing multiple applications with a single login. It simplifies the authentication process for users, reducing the need for multiple logins and enhancing productivity. SAML is often used to authenticate users in the workplace, accessing services like Salesforce or Workday.
When considering whether to use OpenID Connect or SAML, it is important to consider the specific use case. OpenID Connect is suitable for scenarios where users need to sign in to multiple websites and apps without sharing credentials, making it ideal for consumer-facing applications. On the other hand, SAML is commonly used in enterprise environments for single sign-on and accessing various services with a single login, making it a preferred choice for workplace authentication.
Security Considerations
From my experience, one important security consideration is the need to protect sensitive user information during the authentication process. When comparing SAML, OAuth, and OpenID Connect, there are some key differences to consider in terms of security.
SAML (Security Assertion Markup Language) is commonly used in enterprise environments for single sign-on (SSO) and accessing multiple applications with a single login. It relies on an exchange of messages in XML SAML format, which can provide a secure authentication process. However, SAML lacks encryption and relies on SSL/TLS protocols for securing large enterprises.
OAuth (Open Authorization) is used when granting access to third-party applications. It provides secure delegated access, allowing applications to access resources on behalf of the user. OAuth, however, lacks encryption and relies on SSL/TLS protocols for securing connections.
OpenID Connect is used for user authentication and enables users to sign in to multiple websites and apps without sharing credentials. It is an authentication layer built on top of OAuth 2.0 and uses JSON Web Tokens (JWT) for ensuring the integrity of access and ID tokens. OpenID Connect provides a more secure authentication process compared to OAuth and SAML.
In terms of security considerations, it is important to evaluate the specific requirements of your application or system. SAML and OpenID Connect offer more robust authentication mechanisms with their use of encryption and JSON Web Tokens. OAuth, on the other hand, may be more suitable for granting access to third-party applications but should be paired with encryption protocols like SSL/TLS for enhanced security.
Integration and Implementation Challenges
I find that one of the key challenges in integrating and implementing SAML, OAuth, and OpenID Connect is ensuring seamless interoperability between different systems and technologies. This requires a deep understanding of the differences between these standards and the ability to navigate their complexities. In particular, there are three main challenges that arise in the integration and implementation of SAML, OAuth, and OpenID Connect:
- Compatibility: One challenge is ensuring that the different systems and technologies can seamlessly communicate and exchange information. This involves understanding the protocols and message formats used by each standard and ensuring that they can be properly translated and understood by the other systems involved.
- Security: Another challenge is ensuring that the integration and implementation of these standards does not compromise the security of the systems involved. This requires careful consideration of authentication and authorization mechanisms, encryption protocols, and access control policies to ensure that sensitive information is protected and unauthorized access is prevented.
- User Experience: Finally, a key challenge is providing a seamless and user-friendly experience for end users. Integrating and implementing SAML, OAuth, and OpenID Connect should not introduce unnecessary complexity or barriers for users. It is important to design and implement authentication and authorization processes that are intuitive, efficient, and easy to use, while still maintaining the necessary security measures.
Overall, integrating and implementing SAML, OAuth, and OpenID Connect requires a careful balance between technical considerations, security requirements, and user experience. By addressing these challenges, organizations can leverage these standards to enhance their systems’ interoperability and provide a secure and seamless experience for their users.
Advantages and Limitations
One advantage of integrating SAML, OAuth, and OpenID Connect is the simplification of authentication and authorization processes, improving user experience. These three standards each serve a unique purpose in the realm of identity management. SAML, or Security Assertion Markup Language, is commonly used in enterprise environments for single sign-on and accessing multiple applications with a single login. OAuth, on the other hand, provides secure delegated access, allowing applications to access resources on behalf of the user without sharing credentials. OpenID Connect, built on top of OAuth, is used for user authentication and enables users to sign in to multiple websites and apps without sharing credentials.
By integrating these standards, organizations can leverage the strengths of each to streamline the authentication and authorization processes. Users can enjoy a seamless experience, as they only need to authenticate once and can then access multiple applications securely. This eliminates the need for repetitive logins and reduces the risk of password fatigue or user errors.
However, it is important to note that there are limitations to consider when implementing these standards. SAML, for example, relies on an exchange of messages in XML SAML format, which can be complex and may require additional resources for implementation and maintenance. OAuth, while providing secure delegated access, does not handle user authentication, which may be a limitation depending on the specific use case. OpenID Connect, while offering improved user experience, still relies on the underlying OAuth protocol for authorization.
Despite these limitations, the advantages of integrating SAML, OAuth, and OpenID Connect outweigh the challenges. This is evident in the increasing industry adoption and standards surrounding these protocols. Organizations across various sectors are embracing these standards to enhance security, simplify authentication and authorization processes, and improve user experience. In the next section, we will delve deeper into the industry adoption and standards surrounding SAML, OAuth, and OpenID Connect.
Industry Adoption and Standards
As an industry professional, I have noticed a significant increase in the adoption and establishment of standards for SAML, OAuth, and OpenID Connect in various sectors. This is a result of the industry recognizing the importance of secure authentication and authorization protocols. Some key points to consider in the comparison of SAML, OAuth, and OpenID Connect are:
- SAML is commonly used in enterprise environments for single sign-on and accessing multiple applications with a single login. It relies on an exchange of messages in XML SAML format, making it suitable for logging in users to internal networks in enterprises.
- OAuth 2.0 provides secure delegated access, allowing applications to access resources on behalf of the user. It is used when granting access to third-party applications, making it suitable for signing up for applications and granting access to third-party applications.
- OpenID Connect is used for user authentication and enables users to sign in to multiple websites and apps without sharing credentials. It is widely used for user logins on consumer websites and mobile apps, and it is commonly used to authenticate users in the workplace for accessing various services.
The industry adoption of these standards is driven by the need for secure and standardized frameworks for authentication and authorization. Organizations recognize the benefits of implementing these standards, including enhanced security, simplified access control, and improved user experience. By adopting SAML, OAuth, and OpenID Connect, organizations are able to provide secure access to resources, protect user data, and streamline the user authentication process.
Choosing the Right Protocol for Your Application
After carefully evaluating the requirements and security needs of my application, I have decided to choose OAuth 2.0 as the protocol for granting secure delegated access. When it comes to choosing the right protocol for your application, it’s important to understand the differences between SAML, OAuth, and OpenID Connect.
| Protocol | Use Case | Key Features |
|---|---|---|
| SAML | Enterprise environments | Single sign-on, XML-based messages, fine-grained access control |
| OAuth 2.0 | Granting access to third-party applications | Secure delegated access, no user credentials exposed, widely used |
| OpenID Connect | User authentication, popular platforms like Google and Facebook | Authentication layer on top of OAuth, JSON Web Tokens for integrity, widely used for logins |
Choosing the right protocol depends on your specific use case. If you need to enable single sign-on in an enterprise environment and access multiple applications with a single login, SAML is the appropriate choice. On the other hand, if you want to grant secure delegated access to third-party applications without exposing user credentials, OAuth 2.0 is the way to go. If you require user authentication with popular platforms like Google and Facebook, OpenID Connect is the preferred option.
Understanding the differences between SAML, OAuth, and OpenID Connect is crucial in order to make the right decision for your application. Each protocol has its own strengths and use cases. By carefully assessing your requirements and security needs, you can confidently choose the protocol that best suits your application’s needs.
Final Thoughts
In conclusion, understanding the differences between SAML, OAuth, and OpenID Connect is crucial for ensuring secure access to applications and resources. One interesting statistic is that according to a survey conducted by Ping Identity, 95% of organizations are using SAML for single sign-on authentication. This highlights the widespread adoption and importance of SAML in the industry. By comprehending the unique features, use cases, and integration possibilities of these standards, you can make informed decisions regarding the authentication and authorization mechanisms that best suit your needs.
Frequently Asked Questions
What is an access token?
An access token is a credential used to access protected resources. It is a crucial component of the OAuth 2.0 protocol, an open standard for token-based authentication and authorization. Once a user is authenticated using OAuth 2.0, the authorization server issues an access token to the client application. This token is then used to make authorized API requests on behalf of the user.
Access tokens can be independent of other authentication and authorization standards, but they can also co-exist with them for enhanced security. For example, in the OAuth vs SAML vs OpenID Connect (OIDC) spectrum, SAML is often used for initial authentication via a SAML authentication request. Once the SAML protocol verifies the SAML assertion, an access token may be issued via the OAuth 2.0 framework for subsequent authorized calls. OpenID Connect, built on top of the OAuth 2.0, also uses access tokens but adds an id_token to provide additional user information.
In OAuth vs OIDC, while OAuth 2.0 leaves the authentication aspect largely undefined, OpenID Connect is built atop OAuth 2.0 to specifically add authentication capabilities. Similarly, OAuth and SAML serve different purposes but can be used in tandem; while OAuth is mainly for authorization, SAML is an XML-based standard used for both authentication and authorization, and can issue a SAML response that includes a SAML assertion as proof of authentication.
To summarize, an access token is a key part of OAuth 2.0 and can be used in conjunction with other standards like SAML and OpenID Connect depending on the specific needs of your application. Whether you are focusing on authentication or authorization, understanding the role of access tokens within these frameworks is crucial for securing your applications.
How do I use OAuth?
To use OAuth, you need to follow the OAuth protocol which allows users to grant third-party applications access to their resources without sharing their credentials. OAuth provides a secure and standardized way to authorize and authenticate access. It involves obtaining an access token from the OAuth provider, which is then used for subsequent resource requests.
- Register the Application: The first step is to register your application with the OAuth server to get the client ID and client secret.
- Authorization Request: Direct the user to the OAuth 2.0 authorization server to authenticate. If they approve the app’s request, they’ll be redirected back to your application with an authorization code.
- Token Exchange: Your application can exchange the authorization code for an access token by sending a backchannel request to the OAuth server.
- Access Protected Resources: Use the access token to make authorized API requests on behalf of the user.
You can also integrate OAuth with SAML or OpenID Connect for more secure authentication. For example, SAML can handle the initial authentication and produce a SAML token. This SAML token is known and verified by the OAuth 2.0 server to issue an OAuth access token.
What is an open standard?
An open standard refers to a publicly available set of rules and protocols designed to achieve specific functions and ensure compatibility and interoperability among different systems. Open standards are developed and maintained through a collaborative and consensus-driven process, often managed by recognized standardization bodies or communities. In the context of authentication and authorization, OAuth 2.0 and OpenID Connect (OIDC) are examples of open standards.
OAuth 2.0 is a standard for token-based authorization, providing a framework that can be used to secure access to resources. On the other hand, OpenID Connect is built on the OAuth 2.0 for the specific purpose of providing user authentication. It is an open standard, just like OAuth 2.0, which means it is publicly available and can be used by anyone. SAML (Security Assertion Markup Language) is another open standard, primarily used for authentication and authorization, which can work in tandem with OAuth for specific use-cases.
These open standards are not mutually exclusive; for instance, SAML can be used for initial authentication in a flow that eventually issues an OAuth 2.0 access token. Likewise, OpenID Connect is often employed for authentication, independent of OAuth, although it is built on top of it. Understanding these open standards like OAuth, OpenID, and SAML, and how they interact with each other in various flows—be it a SAML flow or an OpenID flow—is essential for building secure systems for both authentication and authorization.
What is an OpenID Provider?
An OpenID Provider (OP) is a service that authenticates users and provides identity information to various relying parties (applications or services that request this information). The OpenID Provider utilizes the OpenID Connect protocol, which is an open standard for authentication built on top of the OAuth 2.0 framework. This framework can also be used for authorization, extending the OAuth functionalities that are likely used in OAuth-based services.
OpenID is useful for single sign-on (SSO) scenarios, and it is often employed alongside other standards like SAML to provide robust and secure identity solutions. For example, in some instances, an enterprise might use SAML for initial authentication, and then rely on an OpenID Provider to issue tokens for subsequent interactions with various services. Both SAML and OpenID are open standards, and each has its own strengths and uses. SAML 1.1 and other versions are often used for more complex scenarios, including those that require robust attribute-sharing capabilities, although OpenID Connect can also handle many of these requirements.
In the case of OpenID, the flow of authentication is known as the OpenID flow, while in SAML it’s known as a SAML request and response sequence. While OAuth focuses on authorization, OpenID Connect adds an authentication layer on top of it. Therefore, when choosing between OAuth, SAML, and OpenID, it’s important to consider whether the primary requirement is authentication or authorization, as each standard has specific strengths in these areas.
Is OpenID a form of SSO?
Yes, OpenID is often used as a form of Single Sign-On (SSO). OpenID is an open standard that provides a way for users to be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc login systems. It focuses on authentication, as opposed to OAuth, which is a framework mainly designed for authorization. OpenID can work in tandem with OAuth to offer a comprehensive security solution that covers both authentication and authorization.
In SSO configurations, OpenID acts as a centralized authentication server that multiple applications can use to verify users’ identities. This simplifies the user experience, as users only need to log in once and can then be automatically authenticated for multiple services. It saves time compared to the traditional approach where each service would have its own separate login system. OpenID and SAML are two of the prominent technologies used for SSO, and each has its own set of features and capabilities. While OpenID is simpler and REST-based, SAML is more feature-rich and XML-based.
So, in summary, OpenID is an open standard that focuses on authentication and is commonly used as a form of SSO, often alongside or in contrast to other technologies like SAML. Both OpenID and OAuth can co-exist, each solving different problems in the domains of authentication and authorization.
What is the difference between SAML 2.0 and OpenID?
SAML 2.0 and OpenID Connect serve similar purposes but operate differently and are suited for different use-cases. Both are open standards for authentication, and they are often used in various identity scenarios, but there are key distinctions between the two.
SAML 2.0 (Security Assertion Markup Language) is an XML-based standard commonly used in enterprise settings. It’s particularly strong in complex scenarios involving multiple parties and federated identities. SAML uses XML documents to pass assertions between the identity provider and the service provider. Although SAML is versatile and can be adapted for a variety of use-cases, it is generally seen as more cumbersome to implement than OpenID Connect.
OpenID Connect, on the other hand, is built on top of the OAuth 2.0 framework and is considered lighter and easier to implement. OAuth can be used for authorization, but OpenID Connect extends it to include authentication. It is often used in consumer-facing apps and is less complex than SAML. It’s an open standard like SAML but leverages JSON instead of XML, making it more straightforward to use in modern web applications.
The choice between SAML 2.0 and OpenID Connect often boils down to the specific needs of a project. If you’re building an enterprise application with complex authentication requirements, SAML might be the better choice. However, if ease of use and integration with modern web technologies are important, OpenID Connect, which is likely used with OAuth, is often the preferred option. In summary, while both standards can be used for authentication, they differ in their complexity, underlying frameworks, and best-suited use-cases. It’s essential to understand these differences to choose the right solution for either authentication or authorization needs.
What is the difference between OAuth and OpenID Connect?
OAuth and OpenID Connect are both open standards used in the field of online identity, but they serve different purposes and are used for different things. OAuth is an open standard for access delegation commonly used for authorization. It enables resource owners to grant third-party applications access to their resources without sharing credentials. OAuth acts as a framework that defines how the authorization flows should work, giving users the ability to grant limited access to their data. OAuth 2.0 can be used for various use-cases involving API access and permission delegation.
OpenID Connect, on the other hand, is built on top of the OAuth 2.0 framework and focuses on authentication. While OAuth solves the problem of authorization, OpenID Connect extends OAuth to enable authentication as well. It provides a way to verify the end-user’s identity and obtain basic profile information in an interoperable and REST-like manner. OpenID Connect is an open standard, just like OAuth, and is often used alongside it for modern web applications.
In essence, OAuth is about authorization, dictating what you can do, while OpenID Connect involves authentication, proving who you are. Both are often used in tandem; you’ve likely used OAuth for authorization and OpenID Connect for authentication without even realizing it, especially in cases where single sign-on solutions are deployed. To sum up, while OAuth sets the stage for resource access, OpenID Connect leverages OAuth to provide a full-fledged identity layer on top, covering both authentication and authorization needs.
