OIDC (OpenID Connect)

OpenID Connect (OIDC) extends OAuth 2.0 to provide authentication in addition to authorization, allowing applications to confirm who a user is rather than just what they can access.

Why it matters

• Standardizes single sign-on (SSO) across web, mobile, and API applications.
• Eliminates the need to store and manage user passwords in every application.
• Provides verifiable identity tokens (ID tokens) that applications can trust.
• Enables federated identity across organizational boundaries and identity providers.

Key concepts

• ID Token: A JWT containing claims about the authenticated user (subject, issuer, expiration).
• UserInfo Endpoint: Returns additional profile claims like email, name, and picture.
• Claims: Key-value pairs describing user attributes (sub, email, name, groups).
• Scopes: Define what profile information is requested (openid, profile, email).
• Discovery Document: JSON metadata describing provider endpoints and capabilities.

Common OIDC flows

• Authorization Code Flow: Most secure for server-side apps; code exchanged for tokens.
• Authorization Code + PKCE: Secure flow for mobile and single-page applications.
• Implicit Flow: Legacy browser-based flow returning tokens directly (deprecated).
• Hybrid Flow: Combines code and implicit for specific use cases.

Security considerations

• Always validate ID token signatures using the provider's public keys (JWKS).
• Verify issuer, audience, and expiration claims before trusting tokens.
• Use PKCE for public clients to prevent authorization code interception.
• Implement proper session management and token refresh strategies.
• Consider token binding or DPoP for high-security scenarios.