OpenID Connect Claims and ID Tokens
Decode JWT-based ID tokens, understand claim validation, and implement OIDC correctly.
OIDC as Identity Layer
OpenID Connect (OIDC) adds an identity layer on top of OAuth 2.0. While OAuth 2.0 handles authorization (what can this app access?), OIDC answers the identity question (who is the user?). OIDC is implemented by adding the "openid" scope to an OAuth 2.0 request, which causes the authorization server to return an ID token alongside the access token.
ID Token as JWT
The OIDC ID token is a JSON Web Token (JWT) containing claims about the authenticated user. The JWT is signed by the authorization server using its private key (RS256 or ES256 typically), and the relying party (client application) verifies the signature using the authorization server's published public keys (JWKS endpoint).
All lessons in this course
- OAuth 2.0 Flows and Token Types
- PKCE: Securing Public Clients
- OpenID Connect Claims and ID Tokens
- OAuth Vulnerabilities and Attack Patterns