Start with Identity
Subscribe
Standard · stable

OpenID Connect (OIDC)

OpenID Connect Core 1.0OpenID FoundationFinal; published as ITU-T Rec. X.1285 (2025)Official spec ↗

What it is

OpenID Connect (OIDC) is a thin identity layer built on top of OAuth 2.0. Where OAuth gives an app delegated access, OIDC adds standardized authentication: it tells the app that a user logged in and who they are. It is the modern foundation for single sign-on across consumer apps, mobile, and APIs.

How it works

OIDC introduces the ID token, a signed JWT containing claims about the authenticated user (subject identifier, name, email, authentication time). The app validates the token's signature against the provider's published keys (JWKS) and reads the claims. A standard userinfo endpoint returns additional profile data.

  • ID token: proof of authentication, as a JWT.
  • Access token: still OAuth, for calling APIs.
  • Discovery: providers publish configuration at a well-known URL so clients can self-configure.

Status

OIDC Core 1.0 is final and ubiquitous, supported by every major identity provider. It was republished as ITU-T Recommendation X.1285 in 2025. Extensions like the Shared Signals Framework and CIBA continue to evolve.

When to use it

Any time you need to log a user in. Reach for OIDC over raw OAuth for authentication, and over SAML when building modern web, mobile, or API-centric apps.

Pitfalls

  • Always validate the ID token signature, issuer, audience, and expiry.
  • Do not confuse the ID token (authentication) with the access token (authorization).

Related

Guides: OAuth vs OIDC, SAML vs OIDC. Glossary: OIDC, ID token.

Independent, community-driven reference. Always confirm details against the official specification linked above.