OpenID Connect
OpenID Connect (OIDC) is an open standard published by the OpenID Foundation that defines an interoperable way to use OAuth 2.0 to perform user authentication.
Essentially building an authentication protocol on top of an already existing authorization protocol.
OIDC is designed to be interoperable meaning that an OpenID Client Application can speak one protocol to many Identity Providers instead of implementing a slightly different protocol to each Identity Provider.
Along with returning the traditional OAuth access token, OIDC will return an Identity Token which is a signed JWT.
Unlike the access token, the ID token is directed to the respective Relying Party (RP) and is intended to be parsed by it.
The ID token contains a set of claims about the authentication session, such as:
(sub) - Identifier for the User
(iss) - Identifier for the Identity Provider that issued the token
(aud) - Identifier of the Client for which the token was created for
OIDC defines a discovery protocol that allows clients to fetch information on how to interact with a specific identity provider.
If for not dynamic discovery, OIDC would not be scalable as each Client would have to know ahead of time about each provider.
Dynamic Discovery works in the following way:
1) Client needs to discover the issuer URL of the IDP.
2) Client still needs essential information about the Authorization Server such as the location of the Authorization and Token Endpoints.
Discovered by appending
/.well-known/openid-configuration
to the Issuer URI.The response returns a JSON document containing all the attributes of the server that the client needs in order to start the authentication transaction.
To see another example, review the following challenge.
OIDC also defines a User Info endpoint where Client applications can retrieve information about the logged-in end user.
Accessed by sending a simple HTTP request containing the access token as the Authorization header value.
Example Response:
OIDC defines a special
openid
scope that controls overall access to theUserInfo
endpoint.Defines a set of standardized OAuth scopes that map to subsets of user attributes
(profile, email, phone, and address)
Last updated