0PricingLogin
Cyber Security Academy · Lesson

OpenID Connect (OIDC)

Adding identity on top of OAuth.

Why OIDC Exists

OpenID Connect is a thin identity layer built on top of OAuth 2.0. OAuth answers what can this app do; OIDC answers who is the user.

  • It standardizes how clients authenticate users and receive verified identity claims.
  • It introduces the ID token as a cryptographically signed assertion of authentication.

Before OIDC, developers misused OAuth access tokens for login, leading to confused-deputy and impersonation bugs.

The ID Token (a JWT)

The defining OIDC artifact is the ID token, a signed JWT describing the authentication event.

  • It carries claims about who logged in and when.
  • It is meant for the client to consume, not the resource server.

Never send an ID token to an API as an access credential, and never accept one without validating its signature and claims.

Header.Payload.Signature
{
  "iss": "https://idp.example",
  "sub": "248289761001",
  "aud": "app123",
  "exp": 1718000000,
  "iat": 1717996400,
  "nonce": "n-abc"
}

All lessons in this course

  1. OAuth 2.0 Flows
  2. OpenID Connect (OIDC)
  3. SAML and Federation
  4. Token Attacks and Hardening
← Back to Cyber Security Academy