Skip to main content

OpenID Connect overview

OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. At its core, it allows an application to securely contact an identity provider, authenticate a user, and receive information about the user's identity and session. OpenID Connect is widely used for authentication on the web, and it offers several advantages over other protocols like SAML.

For example, there are currently two ways of creating a Spotify account. You can register with Spotify or you can sign on through Facebook. Facebook sends your name and email address to Spotify, which uses that information to create a profile for you without needing to provide a password or your name and email address.

OpenID Connect extends regular OAuth2

To understand how OpenID Connect works, it's helpful to first understand OAuth 2.0. OAuth 2.0 allows a user to grant an (third party) application access to resources the user owns, without the need to share their passwords with the application. Instead, the user delegates access rights to the client using an access token. However, OAuth 2.0 does not provide any standardized way for the client to request or control user authentication.

This is where OpenID Connect comes in. By accepting a number of request parameters at the standard OAuth2 endpoints, it allows applications to control authentication and obtain an ID token as proof of the authentication event. The ID token is a JSON Web Token that contains information about the user and the session, and it can be digitally verified by the application to create a session.

One of the key benefits of OpenID Connect is that it allows users to authenticate with a single set of credentials across multiple websites or applications. It also provides better support for modern web applications and mobile devices than other protocols like SAML.

OpenID Connect vs. SAML

SAML is a framework for exchanging security assertions that was designed for web-based clients. It doesn't provide a separate API credential, which limits its usefulness for modern web and mobile applications. In contrast, OpenID Connect provides an API credential (access token) that can be sent by web and mobile clients to backend APIs. This makes it easier to build web and mobile applications that use APIs for backend functionality.

OpenID Connect is generally considered to be simpler and easier to use than SAML. It also includes features like native support for in-app browsers and push notifications, and it has better support for modern web applications and mobile devices. By providing a standard way to authenticate users across multiple websites and applications, OpenID Connect makes the authentication process more convenient and secure. If you're building a web application that requires user authentication, OpenID Connect is definitely worth considering.

How Does OpenID Connect Work?

OpenID Connect is similar to OAuth in that it allows users to give one application permission to access data in another application without having to provide their usernames and passwords. Instead, tokens are used to complete both the authentication and authorization processes.

OpenID Connect ID Tokens, encoded as JSON Web Tokens (JWTs), contain information about the user, such as their usernames, when they attempted to sign on to the application or service, and the length of time they are allowed to access the online resources. These tokens are intended to be read by the client and prove that users were authenticated.

Access tokens, on the other hand, are used to access protected resources that are intended to be read and validated by the API. These tokens can be encoded as JWTs too, but they are not ID Tokens. Their purpose is to inform the API that the bearer of this token has been authorized to access the API and perform specific actions (as specified by the scope that has been granted).

It's important to note that ID tokens cannot be used for API access purposes and access tokens cannot be used for authentication. The following diagram shows how a typical OpenID Connect authentication process works:

The ID Token

OpenID Connect extends the authentication capabilities of OAuth by including components such as an ID token issued as a JSON Web Token (JWT). The ID token is conceptually analogous to an ID card, in that it contains a set of JSON claims about the user, such as their name and email:

OpenID Connect ID token payload
{
iss: "https://my-domain.projects.oryapis.com",
sub: "some-identity-id",
aud: "some-client-id",
exp: 1311281970,
iat: 1311280970,
nonce: "KxSty13b2L",
// OpenID Connect standard claims:
name: "Jane Doe",
given_name: "Jane",
family_name: "Doe",
email: "jane@example.org",
email_verified: true,
}

This is different from an access token, which does not include any identifiable information and instead exists to authorize access to resource servers with limited scope:

OAuth2 access token payload
{
iss: "https://my-domain.projects.oryapis.com",
sub: "some-identity-id",
aud: "some-client-id",
exp: 1311281970,
iat: 1311280970,
scope: "blog_posts photos",
}

To obtain an ID token, the client sends the user to their OpenID Provider (OP) with an authentication request. The ID token resembles the concept of an identity card, in a standard JWT format, signed by the OpenID Provider.

OpenID Connect ID token encoded as JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL215LWRvbWFpbi5wcm9qZWN0cy5vcnlhcGlzLmNvbSIsInN1YiI6InNvbWUtaWRlbnRpdHktaWQiLCJhdWQiOiJzb21lLWNsaWVudC1pZCIsImV4cCI6MTMxMTI4MTk3MCwiaWF0IjoxMzExMjgwOTcwLCJub25jZSI6Ikt4U3R5MTNiMkwiLCJuYW1lIjoiSmFuZSBEb2UiLCJnaXZlbl9uYW1lIjoiSmFuZSIsImZhbWlseV9uYW1lIjoiRG9lIiwiZW1haWwiOiJqYW5lQGV4YW1wbGUub3JnIiwiZW1haWxfdmVyaWZpZWQiOnRydWV9.50GMfrkHp1GcBdotJK6oirdr_bZUdJ1P5i4NlShOj2M

The ID token asserts the identity of the user, specifies the issuing authority, and is generated for a particular audience (the client). It may contain a nonce, specify when and how the user was authenticated, and include additional requested details about the subject, such as name and email address. The ID token has an issue time and an expiration time, and is digitally signed, so it can be verified by the intended recipients.

The procedure to receive an ID token is the same as obtaining an access token in a strictly OAuth flow. When the client queries the OpenID Provider, the end-user is redirected to an authorization prompt. If the OpenID Provider is compatible with OpenID Connect, this prompt also becomes the point of authentication, after which the ID token is issued in the same step as the access token. In other words, the possession of an ID token is proof of authentication.

It's important to note that possession of the access token is not proof of authentication, because access tokens can be acquired in multiple ways. ID tokens can only be obtained when the human user explicitly gives a client access to whatever information it requires. In other words, the user must go through the process of "Sign[ing] in with Google," which only the account holder is capable of doing, assuming credentials have not been compromised.

To verify the ID token, the recipient can decode and verify the signature of the ID token using the OP's public key. The recipient can also check the issuer, audience, and expiration time of the ID token to make sure that it's valid and hasn't been tampered with. The ID token is a crucial component of OpenID Connect and provides a standardized way to authenticate users across multiple websites and applications.