OpenID Connect
An authentication layer built on top of OAuth 2.0. OAuth answers “what can this app access?”; OIDC answers “who is this user?”
What OIDC Adds to OAuth 2.0
| Feature | OAuth 2.0 | OIDC |
|---|---|---|
| Purpose | Authorization | Authentication + Authorization |
| Tokens issued | Access token | Access token + ID Token |
| User identity | Not standardized | Standardized via ID Token claims |
| User info endpoint | None | /userinfo returning standard claims |
| Discovery | None | .well-known/openid-configuration |
| Standard scopes | Provider-defined | openid, profile, email, phone, address |
Triggering an OIDC Flow
Add the openid scope to an OAuth 2.0 Authorization Code Flow request. That’s it. The auth server now also returns an ID Token alongside the access token.
&scope=openid%20email%20profileWithout openid, you have OAuth — no identity, just an opaque “this client is allowed to call these APIs” token.
Standard Scopes and What They Return
| Scope | Returns |
|---|---|
openid | Required. Triggers OIDC. Returns sub (user identifier). |
email | email, email_verified |
profile | name, given_name, family_name, picture, locale, updated_at, etc. |
phone | phone_number, phone_number_verified |
address | address (a structured object) |
Discovery
OIDC providers publish a discovery document at:
https://{issuer}/.well-known/openid-configurationIt contains every endpoint URL, supported scopes, supported signing algorithms, and the JWKS URI for fetching public keys. Always discover at runtime rather than hardcoding endpoint URLs — providers occasionally rotate them.
{
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"token_endpoint": "https://oauth2.googleapis.com/token",
"userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
"response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token"],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["RS256"],
"scopes_supported": ["openid", "email", "profile"],
...
}The UserInfo Endpoint
GET https://openidconnect.googleapis.com/v1/userinfo
Authorization: Bearer ACCESS_TOKENReturns standardized user claims (the same kind found in the ID Token). Useful when you need fresh data — the ID Token is a snapshot at login time.
Flow Variants
OIDC defines several flows; for web/mobile you almost always want the Authorization Code Flow (with PKCE).
- Authorization Code Flow — code in front-channel, tokens in back-channel. Default choice.
- Implicit Flow — tokens directly in front-channel. Deprecated.
- Hybrid Flow — code + (id_token or token) in front-channel; remaining tokens in back-channel. Used by Sign in with Apple when name/email scopes are requested.
Pitfalls
- Treating an OAuth-only access token as identity. Without
openidscope and an ID Token, you have authorization, not authentication. - Trusting the UserInfo endpoint without validating the access token first. A compromised access token still calls UserInfo successfully.
- Hardcoding endpoint URLs instead of using discovery → silent breakage on provider changes.