Article

OpenID Connect (OIDC): How It Works

What is OpenID Connect?


OpenID Connect 1.0 (Connect) is an OIDF standard that profiles and extends OAuth 2.0 to add an identity layer – creating a single framework that promises to secure APIs, mobile native applications, and browser applications in a single, cohesive architecture.

 

OpenID Connect adds two notable identity constructs to OAuth’s token issuance model.

 

  1. an identity token - the delivery of which from one party to another can enable a federated SSO user experience for a user

  2. a standardized identity attribute API - at which a client can retrieve desired identity attributes for a given user

What problems does OpenID Connect solve?


OAuth 2.0 is not an identity protocol, it is an authentication & authorization framework for securing arbitrary APIs as opposed to APIs fronting identity information. In addition, OAuth’s access tokens carry an authorization semantic, but do not have an identity semantic. OIDC layers these two identity-centric concepts onto OAuth’s ‘plumbing’ to create a framework for distributed identity.

How does OpenID Connect work?


An OAuth Client, when using OAuth to interact with an Authorization Server (AS) need only indicate to the AS that it wants to engage in the additional steps & flows that Connect defines beyond the base OAuth. As for OAuth, the AS can authenticate the User, and then return to the Client both an access token (as in OAuth) as well as an additional construct called an id_token. The id_token is an assertion by the AS to the Client that the User in question did indeed recently authenticate. It is by delivery of the id_token from the AS to the Client that the User is able to enjoy a SSO experience at the Client. In addition, the Client can use the access token on a call to the AS’s UserInfo endpoint in order to receive additional identity attributes beyond those in the id_token.

 

OIDC also defines mechanisms for discovery & session management beyond OAuth.  

Implementations of OIDC


Implementations of Connect include Google, Gakunin (Japanese Universities Network), Microsoft, PayPal, Ping Identity, Nikkei Newspaper, Tokyu Corporation, mixi, Yahoo! Japan and Softbank. There are also mature deployments underway by Working Group participant organizations, such as Deutsche Telecom, AOL, and Salesforce.

 

For an example of OpenID Connect at work, look at Google+ Sign-In, Google’s flagship social-identity offering, which is entirely based on OpenID Connect.

 

Related Resources


  • white paper

    Internet-Scale Identity Systems: An Overview and Comparison

    Download now
  • analyst report

    KuppingerCole Solutions for Customer IAM

    Download now
  • Webinar

    IAM is the Foundation of the Cyber Security Ecosystem

    watch now