← Lessons

quiz vs the machine

Gold1440

Security

OpenID Connect

An identity layer over OAuth that issues verifiable ID tokens about the user.

5 min read · core · beat Gold to climb

Identity on Top of OAuth

OAuth grants an application limited access to resources, but it does not, by itself, tell the application who the user is. OpenID Connect, or OIDC, adds an identity layer on top of OAuth to fill that gap.

The key addition is the ID token, a signed JWT issued by the identity provider. It contains claims such as the user identifier, the issuer, the audience, and expiry. The application reads these to learn who logged in.

Validating an ID Token

The token is only meaningful after validation:

  • Verify the signature using the provider published keys.
  • Check the issuer matches the expected identity provider.
  • Check the audience matches your client identifier.
  • Check expiry and, where used, the nonce that ties the token to your request.

Skipping any of these can let a token from another client or a replayed token slip through. OIDC also provides a userinfo endpoint for additional profile details when needed.

Key idea

OpenID Connect layers identity onto OAuth by issuing a signed ID token whose claims describe the user, so safe logins depend on verifying the signature, issuer, audience, expiry, and nonce before trusting it.

Check yourself

Answer to earn rating on the learn ladder.

1. What does OpenID Connect add that plain OAuth lacks?

2. Why must the application check the ID token audience?