← Lessons

quiz vs the machine

Gold1410

System Design

OpenID Connect and the ID Token

Adding a verifiable identity layer on top of OAuth2.

5 min read · core · beat Gold to climb

OAuth2 was not built for login

OAuth2 grants access to resources, but it does not by itself tell the client who the user is. OpenID Connect, or OIDC, is a thin identity layer on top of OAuth2 that adds authentication semantics.

The ID token

The key addition is the ID token, a signed JWT that asserts the user's identity. It carries standard claims:

  • sub, a stable subject identifier for the user.
  • iss, the issuer that signed it.
  • aud, the intended audience, the client.
  • iat and exp, issued and expiry times.
  • A nonce to bind the token to the original request.

The client verifies the signature against the issuer's published keys and checks that the audience and nonce match, proving the token was minted for this login.

Access token versus ID token

These serve different purposes. The access token is for calling APIs and is opaque to the client. The ID token is for the client to learn who logged in. Using an access token as proof of identity is a classic mistake.

Key idea

OpenID Connect adds a signed ID token to OAuth2 so the client learns a verified user identity, distinct from the access token used to call APIs.

Check yourself

Answer to earn rating on the learn ladder.

1. What does the OIDC ID token primarily convey?

2. Why should an access token not be used as proof of identity?

3. What does the nonce claim help prevent?