13 Deepening security with OpenID Connect
This chapter covers
- Boosting security with Proof Key for Code Exchange (PKCE) in the authorization code flow.
- Simplifying user logins and maintaining sessions with refresh tokens.
- Enhancing user identity management with OpenID Connect's identity layer and additional features.
- Implementing multitenancy with OIDC
As Acme Inc. grew rapidly, we realized we needed a better and safer way for users to log in. That’s when we decided to set up Single Sign-On (SSO), which lets users access multiple apps with just one login. To do this right, we had to separate the job of checking who a user is (authentication) from the app that handles the user’s data (the backend). This setup makes things safer and easier to manage.
Of course, we couldn't just make it up as we went along—we needed a solid, trusted system to guide us. That’s how we found OAuth 2 and OpenID Connect (OIDC). OAuth 2 is a framework that lets apps get permission to access certain user data without needing passwords. OpenID Connect builds on OAuth 2 by adding a way to confirm who the user is. It’s like OAuth 2 is the pizza crust, and OpenID Connect is the delicious cheese and toppings. Who wants plain crust anyway?