Sign In with LinkedIn v2 - OpenID Connect Authentication

Authored byKomal Chaudhari

Staff Software Engineer at LinkedIn

January 10, 2023

Motivation

Historically at LinkedIn, OAuth 2.0 was used for both authentication and authorization purposes. However, OAuth 2.0 is an authorization framework never meant to address authentication. For example, an access token could contain information about the user who delegated the access, but it does not reveal the user’s identity. Additionally, access token authenticity cannot be easily verified before its usage to validate whether it belongs to the same user who provided delegated access.

We are adopting OpenID Connect authentication to provide an added identity layer on top of OAuth 2.0 framework. Before we look into the benefits OpenID Connect provides, let’s understand the key difference between Authentication and Authorization. Often, people think about them (and use them) interchangeably.

Authentication vs. Authorization

  • Authentication is the process of verifying an identity (who they say they are)
  • Authorization is the process of verifying what access the caller has (permissions)

OIDC Authentication and Authorization Workflow

OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. The ID token is the primary extension OIDC makes to OAuth 2.0 to authenticate users. In this design, we will implement OpenID Connect core and identify OIDC authentication requests with “openid” new member permission as an additional scope parameter value. This design will address the following steps in detail. 

OpenID Connect Authentication Flow

The ID Token stores authentication information in the form of claims along with OIDC required claims. These claims are information about the authenticated user, such as “how and when” the authentication was performed. This ID token is a JSON Web Token (JWT) and contains digitally signed information about a user. JWT contains a collection of “claims” each representing a key-value pair in JSON format. These claims establish the trustworthiness of OP. The ID token cannot be used as an access token to get access to any resource APIs. The only purpose of ID Token is to provide identity information in JWT format which then can be used for session management by partner apps.

JWT Token Claims

JWT Token Claims

Benefits of Using OpenID Connect 

  • With OIDC authentication, password security risks are minimized as passwords are never shared with any websites. It helps accelerate the “Sign Up” Process at various client websites where users can use a single, existing account to sign into thousands of websites, eliminating the need to create multiple accounts. 
  • Users have better control over their online identity as OpenID is a decentralized standard and is not controlled by any single website or provider.
  • It will help Third-party apps to improve performance by caching verified user information that can be shared within its various components.

LinkedIn is the Member First network with the largest and most trusted brand of professional identities. OpenID Connect protocol enables the standardized mechanism to provide authenticated members’ verified identity info. It enhances the sign-in experience with appropriate security and semantics for authentication without compromising OAuth's functionality. 

OpenID Connect is now available with the Sign In With LinkedIn V2 product, get started with OpenID Connect today.