OpenID Connect (OIDC)

OIDC is an identity layer built on top of OAuth 2.0, providing authentication capabilities in addition to OAuth's authorization.

OAuth 2.0 (Authorization) + Identity Layer = OIDC (Authentication)

Key Differences from OAuth 2.0

OAuth 2.0 OIDC
Authorization framework Authentication protocol
Gives "access token" Gives "ID token" (JWT)
No user info Provides user identity information

ID Token Structure

```json { "iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "acr": "urn:mace:incommon:iap:silver" } ```

Authentication Flow

  1. User initiates authentication
  2. Client app redirects to OIDC provider
  3. User authenticates with provider
  4. Provider returns ID token and optionally access token
  5. Client validates ID token
  6. Client uses claims from ID token to authenticate user

UserInfo Endpoint

OIDC adds a UserInfo endpoint to retrieve additional user information:

```http GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKG ```

Pros & Cons

  • ✅ Standardized authentication
  • ✅ Built on proven OAuth 2.0 foundation
  • ✅ Provides identity information
  • ✅ Supports multiple signing algorithms
  • ❌ Adds complexity over standard OAuth