OpenID Connect (OIDC) extends OAuth 2.0 to provide authentication in addition to authorization, allowing applications to confirm who a user is rather than just what they can access.
Why it matters
- Standardizes single sign-on (SSO) across web, mobile, and API applications.
- Eliminates the need to store and manage user passwords in every application.
- Provides verifiable identity tokens (ID tokens) that applications can trust.
- Enables federated identity across organizational boundaries and identity providers.
Key concepts
- ID Token: A JWT containing claims about the authenticated user (subject, issuer, expiration).
- UserInfo Endpoint: Returns additional profile claims like email, name, and picture.
- Claims: Key-value pairs describing user attributes (sub, email, name, groups).
- Scopes: Define what profile information is requested (openid, profile, email).
- Discovery Document: JSON metadata describing provider endpoints and capabilities.
Common OIDC flows
- Authorization Code Flow: Most secure for server-side apps; code exchanged for tokens.
- Authorization Code + PKCE: Secure flow for mobile and single-page applications.
- Implicit Flow: Legacy browser-based flow returning tokens directly (deprecated).
- Hybrid Flow: Combines code and implicit for specific use cases.
Security considerations
- Always validate ID token signatures using the provider's public keys (JWKS).
- Verify issuer, audience, and expiration claims before trusting tokens.
- Use PKCE for public clients to prevent authorization code interception.
- Implement proper session management and token refresh strategies.
- Consider token binding or DPoP for high-security scenarios.
Related Tools
Related Articles
View all articlesBiometric Authentication: Understanding FAR, FRR, and CER for Security Professionals
Master the critical metrics behind biometric authentication systems including False Acceptance Rate (FAR), False Rejection Rate (FRR), and Crossover Error Rate (CER). Learn how to evaluate, tune, and deploy biometric systems across enterprise, consumer, and high-security environments.
Read article →Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture
Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.
Read article →Azure AD Is Now Microsoft Entra ID: What Changed and What It Means
Microsoft renamed Azure Active Directory to Microsoft Entra ID. Learn what changed, what stayed the same, and how this affects your organization's identity management.
Read article →GitHub Actions Security: OIDC, Secrets, Permissions, and Supply Chain Protection
Secure GitHub Actions workflows with OIDC authentication, minimal permissions, pinned actions, secret protection, fork security, and supply chain hardening best practices.
Read article →Explore More Identity & Access Management
View all termsAuthentication vs Authorization
Authentication verifies who you are, while authorization determines what you can do.
Read more →FIDO2
An open authentication standard that enables passwordless and phishing-resistant login using hardware security keys or platform authenticators.
Read more →Identity and Access Management (IAM)
The policies and technologies used to verify identities, govern permissions, and log access across systems.
Read more →Kerberos
A network authentication protocol that uses secret-key cryptography and trusted third parties to verify user and service identities without transmitting passwords.
Read more →LDAP (Lightweight Directory Access Protocol)
An open, vendor-neutral protocol for accessing and maintaining distributed directory services over a network.
Read more →Multi-Factor Authentication (MFA)
An authentication method that requires users to provide two or more verification factors to gain access.
Read more →