OpenID Connect (OIDC)

When to Use

• Single Sign-On (SSO): One login for multiple apps.
• User Profile: Getting

  name

  ,

  email

  ,

  picture

  from a provider.
• Enterprise Identity: Connecting to Active Directory via OIDC.

Quick Start

// Request
GET /authorize?
  response_type=code&
  scope=openid profile email&  <-- 'openid' scope triggers OIDC
  client_id=...&
  redirect_uri=...

// Token Response
{
  "access_token": "SlAV32hkKG...", // For API access
  "id_token": "eyJ0eXKiOiJK...",   // JWT containing User Profile
  "expires_in": 3600
}

Core Concepts

ID Token

UserInfo Endpoint

/userinfo

Scopes

• openid

  : Required to use OIDC.

• profile

  : Request access to name, picture, etc.

• email

  : Request access to email.

Common Patterns

Discovery Endpoint

/.well-known/openid-configuration

Best Practices

• Validate the ID Token Signature (using JWKS).
• Check the Audience (

  aud

  ) claim matches your Client ID.
• Check the Issuer (

  iss

  ) claim matches the provider.
• Use Nonce to prevent replay attacks.

• Don't treat the Access Token as an ID Token (Access Tokens are opaque strings in standard OAuth, though often JWTs in practice).
• Don't accept unsigned ID tokens (algorithm

  none

  ).

Troubleshooting

id_token missing

openid

openid

Signature Invalid

References

• OpenID Connect Core
• OIDC Playground