As applications become increasingly interconnected, users demand secure and seamless login experiences. While OAuth 2.0 solves the problem of authorization (granting limited access to resources), it doesn’t handle authentication (proving who the user is). That’s where OpenID Connect (OIDC) comes in.
What is OpenID Connect?
OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0. It allows clients (apps) to verify a user’s identity and obtain basic profile information in a standardized and secure way.
In simpler terms:
Why OpenID Connect?
Identity Verification: Confirms who the user is.
Single Sign-On (SSO): One login for multiple apps.
Interoperability: Works across platforms, mobile, web, and APIs.
User-Friendly: Reduces the need for multiple usernames and passwords.
How OpenID Connect Works
OIDC extends OAuth 2.0 with a special ID Token, which carries information about the authenticated user.
Key Components
End-User (Resource Owner) – The person trying to log in.
Relying Party (Client) – The app that needs authentication.
OpenID Provider (OP) – The server that authenticates the user and issues tokens (e.g., Google, Microsoft, Auth0).
The Flow (Simplified)
Login Request: The client app redirects the user to the OpenID Provider.
User Authentication: The user logs in with their credentials at the provider (e.g., Google login).
Consent: The user approves requested information (e.g., email, profile).
Tokens Issued:
ID Token – Contains user identity info (JWT format).
Access Token – Grants access to APIs/resources.
Refresh Token – Optional, for renewing tokens.
Client Validates ID Token: The app verifies the user’s identity and logs them in.
Example in Real Life
When you log in to a new application using “Sign in with Google”:
Google is the OpenID Provider.
The new app is the Relying Party.
You log in with Google credentials.
Google issues an ID Token (your identity) and sends it to the app.
The app now knows you are you, without ever seeing your Google password.