OpenID Connect (OIDC) is an identity authentication protocol built on top of OAuth 2.0. While OAuth 2.0 handles authorization (granting access to resources), OIDC adds a standardized authentication layer that lets applications verify who a user is and retrieve basic profile attributes in a consistent, interoperable way.
How It Works
OIDC extends the OAuth 2.0 authorization code flow by introducing the ID token — a JSON Web Token (JWT) that contains claims about the authenticated user. When an application initiates an OIDC flow, it requests the openid scope along with any additional scopes like profile or email. After the user authenticates, the identity provider returns both an access token (for API access) and an ID token (for identity verification).
The ID token contains standardized claims: sub (a unique subject identifier), iss (the issuer), aud (the intended audience), exp (expiration time), and iat (issued-at time). Additional claims like name, email, and picture convey profile information. The token is signed by the identity provider, allowing the application to verify its authenticity without an additional network request.
OIDC defines a discovery mechanism through a well-known endpoint (/.well-known/openid-configuration) that publishes the provider's capabilities, supported flows, token endpoint URLs, and signing keys. This enables applications to configure themselves dynamically by reading the provider's published metadata.
The UserInfo endpoint provides a standardized way to retrieve additional user attributes beyond what is included in the ID token. Applications make authenticated requests to this endpoint using the access token to obtain profile data.
Security Considerations
ID tokens must be validated thoroughly — checking the signature against the provider's published keys, verifying the issuer and audience claims, and confirming the token has not expired. Accepting tokens without validation allows attackers to forge identity assertions. The nonce parameter prevents replay attacks by binding the token to a specific authentication request.
Why It Matters
OIDC is the standard behind "Sign in with Google," enterprise single sign-on, and federated identity across the web. A flawed OIDC implementation can allow authentication bypass, identity spoofing, and unauthorized account access. Understanding the protocol's security requirements is essential for anyone building or testing identity integrations.
Need your application tested? Get in touch.