OpenID Connect (OIDC)
OIDC is an identity layer built on top of OAuth 2.0, providing authentication capabilities in addition to OAuth's authorization.
OAuth 2.0 (Authorization) + Identity Layer = OIDC (Authentication)
Key Differences from OAuth 2.0
| OAuth 2.0 | OIDC |
|---|---|
| Authorization framework | Authentication protocol |
| Gives "access token" | Gives "ID token" (JWT) |
| No user info | Provides user identity information |
ID Token Structure
{ "iss": "https://server.example.com", "sub": "24400320", "aud":
"s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat":
1311280970, "auth_time": 1311280969, "acr":
"urn:mace:incommon:iap:silver" }
Authentication Flow
- User initiates authentication
- Client app redirects to OIDC provider
- User authenticates with provider
- Provider returns ID token and optionally access token
- Client validates ID token
- Client uses claims from ID token to authenticate user
UserInfo Endpoint
OIDC adds a UserInfo endpoint to retrieve additional user information:
GET /userinfo HTTP/1.1 Host: server.example.com Authorization:
Bearer SlAV32hkKG
Pros & Cons
- ✅ Standardized authentication
- ✅ Built on proven OAuth 2.0 foundation
- ✅ Provides identity information
- ✅ Supports multiple signing algorithms
- ❌ Adds complexity over standard OAuth