Definition
OpenID Connect
OpenID Connect is an authentication layer built on top of the OAuth 2.0 authorisation framework. It enables a client to verify the identity of an end user and to obtain basic profile information about that user in an interoperable and REST-like manner.
Identity information is conveyed through an ID token, which is a JSON Web Token (JWT) issued by an identity provider.
Flows
Authorisation Code Flow
For classic web and mobile applications.
Step 1 — Initiation.
The user informs the service provider that they want to authenticate via a specific identity provider.Step 2 — Redirect to Identity Provider.
The service provider redirects the user’s browser to the identity provider. The URL contains:
- an identifier of the service provider at the identity provider
- a redirect URL on the service provider where the user is sent after authentication
Step 3 — User Authentication.
The user authenticates directly with the identity provider.Step 4 — Redirect with Authorisation Code.
The identity provider redirects the user back to the service provider. The URL contains an authorisation code that the service provider can exchange for an identity token.Step 5 — Code Exchange.
The service provider authenticates itself at the identity provider and sends the received authorisation code.Step 6 — Token Issuance.
The identity provider validates the code and issues an identity token (a JWT containing user information such as issuer, subject, audience, expiry, and profile attributes) to the service provider.
Implicit Flow
For web applications without a backend. The identity token is returned directly to the client (typically via a fragment in the redirect URL) without an intermediate authorisation code exchange.
Hybrid Flow
A combination of the authorisation code and implicit flows. The authorisation code and some tokens are returned from the authorisation endpoint. Rarely used.