IT Get in touch

OpenID Connect 1.0: modern identity layer on OAuth 2.0

OpenID Connect Core 1.0 (February 2014): standard authentication layer over OAuth 2.0. ID token JWT, UserInfo endpoint, discovery metadata, SSO flows. Foundation of Google/Microsoft/Apple Sign-In, SPID, corporate login.

Open SourceWebCyber Security
Open SourceWebCyber Security OpenID ConnectOIDCOAuthAuthenticationJWTOpen SourceWebSecurity
CyberScan

CyberScan

Platform for automated vulnerability assessment, threat intelligence and continuous security posture management.

Discover →

Authorisation vs Authentication

OAuth 2.0 (2012) is designed for authorisation — giving an app delegated access to user resources. It is, however, improperly used for authentication (“Login with Google”), with each implementer inventing their own way of communicating user identity. A standard is needed.

The release

OpenID Connect Core 1.0 is published on 11 February 2014 by the OpenID Foundation. Editors: Michael B. Jones (Microsoft), John Bradley, Nat Sakimura. Successor to OpenID 2.0 (2007, completely different earlier protocol).

Conceptually: “OIDC is to OAuth as authentication is to authorisation”.

Components

  • ID Token — signed JWT containing standardised user claims (sub, name, email, iss, aud, exp, iat)
  • Access Token — OAuth 2.0 standard
  • Refresh Token — renewal
  • UserInfo Endpoint — API with additional user details
  • Discovery (/.well-known/openid-configuration) — provider metadata
  • JWKS (/.well-known/jwks.json) — public keys for signature verification
  • Standard scopesopenid, profile, email, address, phone

Example flow

1. Redirect → /authorize?response_type=code&scope=openid+email&...
2. User auth + consent
3. Redirect back → /callback?code=abc123
4. POST /token → { id_token, access_token, refresh_token }
5. Verify id_token signature + claims
6. GET /userinfo with access_token (optional)

Flows

  • Authorization Code + PKCE — recommended for SPA and webapp
  • Hybrid Flow — code + id_token or token
  • Implicit — deprecated
  • Device Flow — for smart TV/IoT

Standard providers

All major providers are OIDC-compliant:

  • Google, Microsoft/Azure AD, Apple, Facebook, GitHub, LinkedIn
  • Auth0, Okta, OneLogin (SaaS)
  • Keycloak, Authentik, Ory Hydra, Dex, Zitadel (OSS)
  • OIDC Discovery 1.0
  • OIDC Dynamic Client Registration
  • OIDC Session Management — federated logout
  • OIDC Front-Channel/Back-Channel Logout
  • FAPI (Financial-grade API) — hardened profile for banks/PSD2

In the Italian context

OpenID Connect is the foundation of:

  • SPID — with historical SAML profile, now transition to OIDC Federation in progress
  • CIE ID — Electronic Identity Card online (OIDC-like)
  • EUDI Wallet — European digital identity wallet (eIDAS 2 regulation, 2024)
  • Italian corporate login via Azure AD / Google Workspace
  • PSD2 Fintech Italy — FAPI profile

Every team implementing “social login” in an Italian site or enterprise SSO integration touches OIDC.

References: OpenID Connect Core 1.0 (11 February 2014). OpenID Foundation. Michael B. Jones (Microsoft), John Bradley, Nat Sakimura. Signed JWT ID token. Discovery, UserInfo, JWKS endpoint. Google, Microsoft, Apple, Keycloak, Auth0 providers.

Need support? Under attack? Service Status
Need support? Under attack? Service Status