OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that enables clients to verify the identity of the end-user and obtain basic profile information.
Description
OpenID Connect (OIDC) extends OAuth 2.0 with a standardized identity layer, adding authentication on top of OAuth's authorization capabilities. While OAuth 2.0 answers 'what can this application access?', OIDC answers 'who is this user?' by introducing the ID token -- a JWT that contains claims about the authentication event and the user's identity. This clean separation of concerns means applications get both identity verification and resource authorization from a single protocol flow.
The protocol defines standard scopes (openid, profile, email, address, phone) and a UserInfo endpoint for retrieving additional claims. It supports multiple authentication flows: Authorization Code Flow (recommended for server-side apps), Implicit Flow (deprecated), and Hybrid Flow. OIDC also introduces a Discovery mechanism (.well-known/openid-configuration) that allows clients to dynamically discover provider endpoints, supported scopes, and signing algorithms.
OIDC is the foundation of modern SSO implementations and federated identity. Providers like Google, Microsoft, Apple, and Okta all implement OIDC, making it the de facto standard for user authentication across the web. Proper implementation requires validating ID token signatures against the provider's JWKS, checking issuer and audience claims, verifying nonce for replay protection, and respecting token expiration.
Prompt Snippet
Integrate OpenID Connect authentication using the Authorization Code Flow with PKCE. Discover provider endpoints via .well-known/openid-configuration. Request openid, profile, and email scopes. Validate the returned ID token by verifying the JWT signature against the provider's JWKS endpoint, checking iss matches the expected issuer, aud contains your client_id, exp is not past, and nonce matches the one sent in the auth request. Store the ID token claims in a server-side session and use the access token for UserInfo endpoint calls.
Tags
Related Terms
OAuth 2.0
An authorization framework that enables third-party applications to obtain limited access to a web service on behalf of a resource owner.
JWT (JSON Web Tokens)
A compact, URL-safe token format that encodes claims as a JSON object, digitally signed for integrity verification and optionally encrypted for confidentiality.
SSO (Single Sign-On)
An authentication scheme that allows users to authenticate once and gain access to multiple independent applications without re-entering credentials.
SAML
An XML-based open standard for exchanging authentication and authorization data between an identity provider and a service provider, widely used in enterprise SSO.
Claims-Based Identity
An identity model where user attributes and permissions are expressed as claims -- name-value pairs -- embedded in tokens or assertions, enabling decoupled and portable identity.
Identity Provider (IdP)
A trusted service that authenticates users, manages their identities, and issues security tokens or assertions to relying applications.