OAuth vs. OIDC: The Valet Key and the ID Card

Mid/Senior Engineer Asked at: FAANG, Plaid, Stripe, any company with APIs

Q: Can you explain the difference between Authorization and Authentication, and how OAuth and OpenID Connect (OIDC) relate to them?

Why this matters: This is the fundamental question of modern application security. An engineer who can't clearly distinguish these concepts is a risk. They might build systems that leak data or grant incorrect permissions. This question separates protocol parrots from true architects.

Interview frequency: Extremely High. A cornerstone of system design and backend interviews.

❌ The Death Trap

The vast majority of candidates stumble here. They merge the concepts, use the terms interchangeably, and recite definitions they don't truly understand.

"Well, they're both for security. OAuth is for logging in with Google, and OIDC is like a newer version... they both use tokens to authenticate the user to access resources..."

This is an instant red flag. It shows a shallow understanding of the most critical security primitives on the internet today.

🔄 The Reframe

What they're really asking: "Do you understand the difference between *what a user can do* versus *who a user is*? Can you explain the models of consent and identity that power the entire modern API economy?"

This reveals your ability to think from first principles about security, trust, and user consent. It's about demonstrating wisdom, not just knowledge.

🧠 The Mental Model

Forget the jargon. Everything you need to know can be explained with a simple analogy: The Valet Key and the ID Card.

1. Authentication (AuthN): Proving who you are. This is your ID Card. It answers the question: "Are you really Jane Doe?" It's about identity.

2. Authorization (AuthZ): Proving what you're allowed to do. This is the Valet Key for your car. It doesn't prove you're the owner. It's a limited-permission key you delegate to someone else (the valet) to perform a specific action (park the car). It can't be used to open the trunk. It answers the question: "What are you permitted to do?"

3. OAuth 2.0 is the protocol for creating Valet Keys (Authorization). It's a standard for one service to get permission to access resources on another service, on a user's behalf, without sharing the user's password. It’s all about delegated authority.

4. OpenID Connect (OIDC) is a thin layer on top of OAuth 2.0 that provides ID Cards (Authentication). It uses the same OAuth flow but adds a standard way to get information about the authenticated user, like their name and email. It's about identity.

📖 The War Story

Situation: "We were building a new productivity app, 'MindCanvas,' that would let users create visual mood boards. A key feature was importing photos directly from their Google Photos."

Challenge: "How do we get access to a user's Google Photos? The one thing we absolutely could *not* do was ask for their Google username and password. That's a cardinal sin—it's insecure, breaks user trust, and would get us blacklisted instantly."

Stakes: "The entire product's viability rested on a secure, trustworthy way to connect to a user's data. One mistake here, and our reputation would be destroyed before we even launched."

✅ The Answer

My Thinking Process:

"My first thought was, 'We don't need to be the user, we just need permission to act on their behalf.' This is a classic authorization problem, not an authentication one. We needed a Valet Key, not the master key. This immediately led me to OAuth 2.0."

What I Did:

"We implemented the OAuth 2.0 'Authorization Code' flow. When a user clicked 'Connect Google Photos,' we didn't pop up our own form. We redirected them to Google's familiar sign-in and consent screen. This is critical—the user gives their password to Google, never to us. Google's screen then clearly stated: 'MindCanvas is requesting permission to: View your photos and albums.' The user clicks 'Allow.' Google then gives us an `access_token`. This token is our Valet Key. It's a cryptic string that we can include in API calls to `photos.googleapis.com`. The Google Photos API sees that token and knows, 'Ah, MindCanvas has permission from this user to read photos, but nothing else. Request granted.' That's pure authorization.

But then we had a new requirement: 'Display the user's name in the app, like "Welcome, Jane!"' Our OAuth access token didn't tell us *who* the user was. It just gave us permission. To solve this, we added OpenID Connect. We simply added the `openid profile email` scopes to our initial OAuth request. Now, in addition to the `access_token` (the Valet Key), Google also gave us an `id_token` (the ID Card). This ID token was a JWT (JSON Web Token)."

            /* A decoded ID Token (JWT Payload) */
            {
              "iss": "https://accounts.google.com",  // Issuer: Who gave out this ID card
              "sub": "110169484474386276334",       // Subject: The unique ID of the user
              "aud": "123-abc.apps.googleusercontent.com", // Audience: Who this card is for (us)
              "name": "Jane Doe",
              "email": "jane.doe@example.com"
            }
          

The Outcome:

"By correctly using both protocols, we achieved both goals without compromising security. Users could safely grant us limited access to their photos (Authorization via OAuth), and we could provide a personalized experience by reliably knowing their identity (Authentication via OIDC). This clear, secure flow was a key factor in our early user adoption and trust."

What I Learned:

"I learned that authorization and authentication are not the same, but they are deeply linked. You must first know *who someone is* before you can determine *what they can do*. OIDC provides the 'who,' and OAuth provides the 'what.' Using them together creates a secure, user-centric foundation for any modern application."

🎯 The Memorable Hook

"Remember this: OAuth is for permission, OIDC is for people. OAuth gives an app a temporary key to your digital house. OIDC puts your name on the doorbell so the app knows who lives there."

This makes the distinction visceral and impossible to forget. It shows you can distill complex ideas into simple, powerful truths.

💭 Inevitable Follow-ups

Q: "You mentioned JWTs. What are they and why are they important here?"

Be ready: "A JWT is a secure and compact way to transmit information between parties as a JSON object. The OIDC `id_token` is a JWT. It's important because it's digitally signed by the provider (like Google). My backend can verify that signature using Google's public key, proving the token is authentic and hasn't been tampered with, without needing to make a separate API call back to Google."

Q: "What are OAuth 'scopes' and why do they matter?"

Be ready: "Scopes are the heart of the 'Valet Key' analogy. They define the granular permissions the application is requesting. For example, `photos.readonly` instead of full `photos` access. They enforce the Principle of Least Privilege. As an engineer, you should always request the narrowest possible scopes you need to get the job done. This builds user trust and limits your blast radius if a token is ever compromised."