Sign in Subscribe
By Sahil Kapoor -

OIDC (OpenID Connect)

OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0. Where OAuth defines authorization (who can access what), OIDC defines authentication (who the user is) by adding a standardized ID Token, a defined set of user claims, and a UserInfo endpoint.

How it works

OIDC reuses the OAuth 2.0 Authorization Code flow with one addition: when the client requests the openid scope, the authorization server returns an ID Token alongside the access token. The ID Token is a signed JWT containing claims about the authenticated user (such as sub, email, name) and the authentication event (iss, aud, exp, iat, nonce). The client validates the signature and uses the claims to establish a session.

Common scopes

  • openid: required to trigger OIDC behaviour
  • profile: name, picture, preferred_username
  • email: email and email_verified
  • address, phone: postal address and phone number
  • offline_access: requests a refresh token for offline use

Specification

Defined by the OpenID Connect Core 1.0 specification, with complementary specs covering discovery, dynamic client registration, session management, and logout.

🔗
Related Terms
OAuth 2.0, JWT, Authorization Server, Bearer Token, Session, PKCE, SAML.

Subscribe to Sahil's Playbook

Clear thinking on product, engineering, and building at scale. No noise. One email when there's something worth sharing.
[email protected]
Subscribe
Mastodon