Skip to content

OIDC

What is OIDC

OIDC (OpenID Connect) is an identity authentication layer built on top of the OAuth 2.0 protocol. It combines the authorization capabilities of OAuth 2.0 with identity authentication and is an industry-standard identity authentication protocol.

Relationship with OAuth 2.0

OIDC = Identity + Authentication + OAuth 2.0
ProtocolCore CapabilityProblem Solved
OAuth 2.0AuthorizationWhat you are allowed to do
OIDCAuthentication + AuthorizationYou are the user you claim to be

Authorization occurs after authentication. Only after determining user identity can you decide what permissions to grant.

Why OIDC is Needed

OAuth 2.0 is an excellent authorization protocol, but it does not provide complete identity authentication functions:

  • OAuth 2.0 Access Token does not carry user identity information
  • Different vendors have different return formats for "user information"
  • It cannot standardize acquisition of basic user profiles (such as username, email, etc.)

OIDC standardizes the identity authentication flow on top of OAuth 2.0:

  1. Use OAuth 2.0 to obtain Access Token
  2. At the same time obtain ID Token (JWT containing user identity information)
  3. Obtain user details through standardized interfaces

OIDC Authentication Flow

Core Components of OIDC

ID Token

ID Token is a JWT (JSON Web Token) containing the following key information:

FieldDescription
issIssuer
subSubject (user unique identifier)
audAudience
expExpiration time
iatIssued at

UserInfo Endpoint

Used to obtain user details such as nickname, avatar, email, mobile number, etc.

Discovery Document

Standardized service discovery document; clients can automatically obtain all endpoint addresses of the OIDC service provider.

Applicable Scenarios

OIDC is suitable for various types of clients:

  • Server-side applications: Web application backend completes the authentication flow
  • Single Page Applications (SPA): browser side securely authenticates through the PKCE extension
  • Mobile Apps: native apps invoke the system browser to complete authentication

OIDC is fully compatible with OAuth 2.0; existing OAuth 2.0 infrastructure can be smoothly upgraded to support OIDC.

BambooCloud IDaaS Open Platform