Start with Identity
Subscribe
← Guides
Fundamentals · Intermediate

OAuth 2.0 vs OpenID Connect: What's the Difference?

By SWI Community Team · Updated 2026-06-12 · 6 min

OAuth 2.0 and OpenID Connect are constantly confused, and using the wrong one creates real security holes. The short version: OAuth is for authorization, OIDC is for authentication.

OAuth 2.0 is about access, not identity

OAuth 2.0 lets an application get delegated access to resources on a user's behalf, for example "let this app read my calendar." It issues access tokens scoped to permissions. Crucially, OAuth was never designed to tell you who the user is, and using an access token as proof of login is a classic mistake.

OpenID Connect adds identity

OIDC is a thin layer on top of OAuth 2.0 that adds an ID token (a signed JWT) describing the authenticated user and a standard userinfo endpoint. When you need to log a user in, you want OIDC.

A simple rule

  • "Log this user in" → OIDC.
  • "Let this app act on the user's resources" → OAuth 2.0.
  • Securing machine-to-machine or AI agents? See non-human identity and our authorization category.

Where to start

Read the OAuth 2.0 and OIDC implementation guide, and the related SAML vs OIDC comparison.