OpenID Connect (OIDC)

Introduction

OpenID is an identity protocol that allows users to authenticate themselves across different websites or applications using a single set of credentials.
It is an extension of OAuth 2, but issuing ID token for authentication, comparing with only getting access token for getting resource

It serves as proof of the user's identity and contains information about the user and the authentication event
client application can use the ID token to verify the user's identity and make authorization decisions
The payload of token always include:

iss (Issuer): The identifier of the IdP that issued the token.
sub (Subject): A unique identifier for the authenticated user.
aud (Audience): The intended audience or recipient for the token (typically the client application).
exp (Expiration Time): The timestamp indicating when the token expires and should no longer be considered valid.
iat (Issued At): The timestamp indicating when the token was issued.
nonce: A random value generated by the client application and included in the authentication request. It is used to associate the response with the corresponding request and prevent replay attacks.

Verify the ID Token Signature: The ID token should be digitally signed by the identity provider (IdP). Verify the signature using the IdP's public key to ensure the token's integrity and authenticity.
Validate the Token Claims: The ID token contains claims about the authenticated user. Validate the claims to ensure the token hasn't been tampered with. Common claims include the user's identifier (sub), issuer (iss), token expiration (exp), and audience (aud).
Authenticate the User: Once you've validated the token, use the information within it to authenticate the user. Typically, the sub claim provides a unique user identifier that you can use to associate the user with your application's internal user records.

Last updated 3 months ago

Was this helpful?