What Is OIDC and How Does It Work?

OpenID Connect (OIDC) is an open authentication layer built on top of OAuth 2.0. It serves as a secure system for verifying an end user’s identity.

OIDC

OIDC (OpenID Connect)

OpenID Connect (OIDC) is an open authentication protocol that basically serves as a secure system for verifying an end user’s identity. It does this by allowing applications to contact trusted identity providers via an authorisation server and safely exchange user details. The data transferred is RESTful and interoperable.

OIDC facilitates authentication between numerous client types, including web-based, mobile, and JavaScript. Furthermore, its capabilities can be extended to include additional features like data encryption, OIDC provider discovery, and session management when requesting and receiving end user information. When executed on top of OAuth 2.0, OIDC establishes a single framework that guarantees a comprehensive and unified system of security for APIs and mobile and browser applications.

Benefits of OIDC

OIDC not only adds an extra layer of security to the authentication process, it also enhances the user experience. Here are some key benefits of OIDC:

  • Streamlined sign-up process: One of OIDC’s most appealing features is its implementation of single-click sign-on. Instead of requiring users to constantly type in extensive amounts of personal information to access a website, OICD stores basic information (name, date of birth, etc.) in an Open ID, which can then be used to automatically fill in registration forms. This saves valuable time and nerves.
  • Eliminate need for multiple usernames and passwords: OIDC lets users login to various websites, applications, and services using one single account (Google, Apple, Facebook, etc.) without having to create separate login credentials. This means users can avoid having to remember multiple username and passwords. Furthermore, services can eliminate the high customer service costs associated with password resets.
  • Fewer password security risks: Eliminating the need for separate passwords also resolves another security risk. Password reuse. Users overwhelmed by the number of passwords needed across services and applications often recycle passwords. This makes them an easy target for hackers who only need to crack one weak account to gain access to all of a user’s accounts. However, OIDC makes it possible to secure data with one set of credentials, thus only one password is needed. Furthermore, OIDC does not share passwords with websites or service providers, thereby mitigating the risk of interception by third-parties.
  • More control over online identity: OIDC is decentralised. That means no one authority or company is in control of the information users provide. Users have control over the information they share and with whom they share it.

How Does OIDC Work?

When opening an application, an OAuth flow is initiated. At this point, the user is asked to authorise a request. OAuth 2.0 is not an identity protocol in and of itself. It is only designed to grant access. OIDC enhances the OAuth 2.0 framework by adding login and profile information about the user signing up or logging in.

During this authorisation process, the application or service provider includes the OIDC scope and requests for any additional user information it requires. Once the request has been processed, the application or service provider receives an access token and an ID token from the authorisation server with the necessary user information.

In order to provide the single sign-on experience, the ID token is delivered from the authorisation server to the application or service provider. Thereafter, an endpoint located on the authorisation server can provide the remaining user information.

OIDC can also be implemented for discovery and session management beyond OAuth.

FAQ about OIDC

How Does OIDC Improve Security?

orange-plus orange-minus

OIDC provides additional security features to verify a user's identity and ensure that only authorised users can access an application.

What Are the Main Components of OIDC?

orange-plus orange-minus

The OpenID Provider (OP): The OpenID Provider is the service that provides the identity management and performs the authentication process.

The Relying Party (RP): The Relying Party is the application or website that requires the authentication of the user and uses the identity information issued by the OpenID Provider.

The User: The User is the person who logs into the application and confirms their identity by authenticating via the OpenID Provider.

Is OIDC Scalable?

orange-plus orange-minus

OIDC is scalable and can be used in a variety of application areas, including mobile applications and web applications.

How Is OAuth 2.0 Different From OAuth 1.0?

orange-plus orange-minus

OAuth 2.0 is a simpler and more flexible protocol than OAuth 1.0. It does not require the use of cryptographic signatures or the inclusion of the client secret in every request. It also allows the use of access tokens that can be updated instead of relying on a single access token that is valid for the entire duration of the authorisation.