OpenID Connect (OIDC)
openid.net/specs/openid-connect-core-1_0.html (openid.net)
OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol. Simply put, it's a modern way for your application to verify the identity of a user and, optionally, obtain basic profile information about them. Think of it as the digital equivalent of a passport.
The beauty of OIDC lies in its simplicity and flexibility. It allows your users to authenticate with a trusted provider (e.g., Google, Facebook, or your company's identity provider), and then use that authentication to access your app without having to create a new account or remember a separate password. This enhances user experience and security.
OIDC is not just for web apps. It works seamlessly with mobile apps, single-page apps, and even server-side apps. It's a versatile tool in your identity management arsenal.
OpenID Connect Related
- OpenID Connect for Developers
- ID Token
- Authentication Request
- Token Request
- Authorization Code Flow
- Implicit Flow
- Hybrid Flow
- Initiating Login from a Third Party
- Scopes in OpenID Connect
- Standard Claims
- UserInfo Request
- Aggregated and Distributed Claims
- Passing a Request Object by Value
- Self-Issued OpenID Provider
- Subject Identifier Types
- Client Authentication
- Signature and Encryption
- Offline Access
- Refresh Token
OpenID Connect Standard Protocol Suite
OIDC Minimal
OpenID Connect Core 1.0 (openid.net)
The foundational specification. It defines the main OIDC functionalities, including authentication flows, the ID Token, and the UserInfo endpoint, all built on top of OAuth 2.0.
OIDC Dynamic
OpenID Connect Discovery 1.0 (openid.net)
Enables clients to dynamically discover the configuration of an OpenID Provider, such as its endpoints and capabilities, by fetching a JSON document from a well-known URL. This simplifies client setup.
OpenID Connect Dynamic Client Registration 1.0 (openid.net)
Allows client applications to register with an OpenID Provider on-the-fly, rather than requiring manual pre-configuration. The client receives a client_id and other necessary metadata to interact with the provider.
OIDC Complete
OpenID Connect Session Management 1.0 (openid.net)
Defines how to manage the end-user's session at the OpenID Provider, including mechanisms for single sign-out (logging out from both the application and the provider).
OAuth 2.0 Form Post Response Mode (openid.net)
Specifies a secure method for the Authorization Server to return parameters (like authorization codes or tokens) to the client by sending them in the body of an HTTP POST request, avoiding exposure in browser history or server logs.
Other OpenId Connect Specifications
- OAuth 2.0 Multiple Response Type Encoding Practices (openid.net)
- Implementer's Draft Self-Issued OpenID Provider v2 - draft 13 (openid.net)
Protocols underpinning OpenID Connect
- The OAuth 2.0 Authorization Framework (datatracker.ietf.org)
- Bearer Token Usage (datatracker.ietf.org)
- Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (datatracker.ietf.org)
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (datatracker.ietf.org)
- OAuth 2.0 Multiple Response Type Encoding Practices (openid.net)
- RFC 7636: Proof Key for Code Exchange by OAuth Public Clients (rfc-editor.org)
- JSON Web Token (JWT) (datatracker.ietf.org)
- JSON Web Signature (JWS) (datatracker.ietf.org)
- JSON Web Encryption (JWE) (datatracker.ietf.org)
- JSON Web Key (JWK) (datatracker.ietf.org)
- JSON Web Algorithms (JWA) (datatracker.ietf.org)
- WebFinger (datatracker.ietf.org)
More learning resources about OpenID Connect
More resource about auth on our Resources page.