Skip to main contentOpenID Connect Basics
OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server.
Key Concepts
Identity Provider (IdP)
The server that authenticates users and provides identity information about them.
Relying Party (RP)
The client application that wants to verify the identity of a user.
ID Token
A JWT that contains identity information about the user, including their unique identifier and other claims.
UserInfo Endpoint
An OAuth 2.0 protected resource that returns claims about the authenticated end-user.
Authentication Flows
Authorization Code Flow
The most secure flow for server-side applications, using authorization codes to obtain tokens.
Implicit Flow
A simplified flow for client-side applications, where access tokens are returned directly.
Hybrid Flow
Combines features of both authorization code and implicit flows.
Claims
Claims are pieces of information about the user, such as their name, email, or profile picture. They can be included in the ID token or retrieved from the UserInfo endpoint.
Standard Claims
sub (subject): Unique identifier for the username: Full nameemail: Email addresspicture: Profile picture URL
Custom Claims
Additional claims specific to your application or organization.
Discovery
OpenID Connect Discovery allows clients to dynamically discover information about OpenID Providers, including their endpoints and capabilities.
Security Considerations
- Always verify ID token signatures
- Check token expiration times
- Validate the
aud (audience) claim
- Use HTTPS for all communications
- Implement proper nonce validation
Next Steps
