Skip to main content

OpenID Connect (OIDC)

OpenID Connect is an identity layer on OAuth 2.0 that verifies users and returns signed ID tokens, powering modern single sign-on.

OpenID Connect (OIDC) is a thin authentication layer built on top of OAuth 2.0. Where OAuth handles authorization (what an app may access), OIDC handles authentication (who the user is). It is the modern standard behind most "Sign in with" experiences.

How It Works

OIDC reuses OAuth 2.0 flows but adds an ID token, a signed JSON web token that contains claims about the authenticated user, such as a unique subject identifier, name, and email. The identity provider authenticates the user, then returns the ID token (and usually an access token) to the application.

The application validates the ID token's signature and claims, including issuer, audience, and expiry, to trust the user's identity. A standard UserInfo endpoint provides additional profile data. OIDC also defines a discovery document and standardized scopes like openid, profile, and email, which makes integration between providers consistent.

Because ID tokens are signed JWTs, applications can verify them using the provider's public keys without an extra round trip.

Why It Matters

Before OIDC, developers misused plain OAuth for login, which was insecure and inconsistent. OIDC standardized authentication so any compliant client can work with any compliant provider, such as Google, Microsoft Entra ID, Okta, or Auth0.

OIDC powers single sign-on across web and mobile apps and integrates cleanly with multi-factor authentication enforced at the identity provider. It is generally simpler and more web-and-mobile-friendly than SAML, which it has largely replaced for new applications.

Related Terms

OpenID Connect extends OAuth 2.0 and relies on JSON web tokens for its ID tokens. It enables single sign-on and is a modern alternative to SAML.