OIDC
What is OIDC
OIDC (OpenID Connect) is an identity authentication layer built on top of the OAuth 2.0 protocol. It combines the authorization capabilities of OAuth 2.0 with identity authentication and is an industry-standard identity authentication protocol.
Relationship with OAuth 2.0
OIDC = Identity + Authentication + OAuth 2.0| Protocol | Core Capability | Problem Solved |
|---|---|---|
| OAuth 2.0 | Authorization | What you are allowed to do |
| OIDC | Authentication + Authorization | You are the user you claim to be |
Authorization occurs after authentication. Only after determining user identity can you decide what permissions to grant.
Why OIDC is Needed
OAuth 2.0 is an excellent authorization protocol, but it does not provide complete identity authentication functions:
- OAuth 2.0 Access Token does not carry user identity information
- Different vendors have different return formats for "user information"
- It cannot standardize acquisition of basic user profiles (such as username, email, etc.)
OIDC standardizes the identity authentication flow on top of OAuth 2.0:
- Use OAuth 2.0 to obtain Access Token
- At the same time obtain ID Token (JWT containing user identity information)
- Obtain user details through standardized interfaces

Core Components of OIDC
ID Token
ID Token is a JWT (JSON Web Token) containing the following key information:
| Field | Description |
|---|---|
iss | Issuer |
sub | Subject (user unique identifier) |
aud | Audience |
exp | Expiration time |
iat | Issued at |
UserInfo Endpoint
Used to obtain user details such as nickname, avatar, email, mobile number, etc.
Discovery Document
Standardized service discovery document; clients can automatically obtain all endpoint addresses of the OIDC service provider.
Applicable Scenarios
OIDC is suitable for various types of clients:
- Server-side applications: Web application backend completes the authentication flow
- Single Page Applications (SPA): browser side securely authenticates through the PKCE extension
- Mobile Apps: native apps invoke the system browser to complete authentication
OIDC is fully compatible with OAuth 2.0; existing OAuth 2.0 infrastructure can be smoothly upgraded to support OIDC.