π OpenID Connect (OIDC)
1. Overviewβ
- OAuth 2.0: Protocol for authorization β βCan this app access this resource?β
- OpenID Connect (OIDC): Layer on top of OAuth 2.0 for authentication β βWho is this user?β
- OIDC enables login, SSO, and identity verification using the same OAuth 2.0 flows.
4. OAuth2 vs OIDCβ
| Feature | OAuth 2.0 | OIDC |
|---|---|---|
| Purpose | Authorization | Authentication + Authorization |
| Token | Access Token | Access Token + ID Token |
| Identity Info | β No user info | β Contains user info (name, email, etc.) |
| Use Case | API access | User login / SSO |
5. OIDC Flow (Authorization Code)β
βοΈ Stepsβ
-
User initiates login
- Click βLogin with Googleβ
- Request
/authorizewithscope=openid email profileandstate.
-
User authenticates
- Logs into Authorization Server and consents.
-
Authorization code returned
https://yourapp.com/callback?code=abc123&state=xyz123 -
Exchange code for tokens
- POST
/tokenwith code + client_secret (if confidential client) - Response includes:
{
"access_token": "ACCESS_TOKEN",
"id_token": "ID_TOKEN",
"refresh_token": "REFRESH_TOKEN",
"token_type": "Bearer",
"expires_in": 3600
}
- POST
-
Validate and decode ID Token
- JWT contains claims like
sub,name,email,iss,aud.
- JWT contains claims like
-
Optional: Fetch User Profile
/userinfoendpoint using access token.
-
User logged in
- App uses ID Token to establish session.
6. Access Tokens Without OIDCβ
- Access tokens do not contain user identity β they only authorize access to APIs.
- Example JWT payload:
{
"scope": "read write",
"exp": 1708886000,
"iss": "https://auth.example.com",
"aud": "api.example.com",
"sub": "user_12345"
}
- Fields:
sub: internal user IDscope: allowed actionsiss: issueraud: intended audienceexp: expiry
- β No
name,email, or profile info β authentication info missing
7. Key Takeawaysβ
- OAuth 2.0 = authorization (API access)
- OIDC = authentication + authorization (user login)
- Access Token = grants access to resources
- ID Token = grants verified identity of the user