Term · 8. Connectors & Integration
OpenID Connect OIDC
OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that lets applications verify a user's identity and obtain basic profile data via a signed JSON ID token. It is the modern standard for single sign-on across web, mobile and API clients. Unlike SAML's XML, OIDC uses REST/JSON, making it the default choice for new applications and consumer logins.
Definition
Identity layer on top of OAuth 2.0 (OpenID Foundation, OIDC Core 1.0). Provides standardized authentication via JWT ID tokens with claims about authenticated user. Modern enterprise SSO standard, replacing SAML for cloud-native applications. Foundation of consumer login (Google, Apple, Microsoft).
- Synonyms
-
- OpenID Connect (OIDC)
- Application
- Implementations: every major IdP (Okta, Microsoft Entra, Ping, ForgeRock, Keycloak), client libraries in every major language. Use cases: web SSO, mobile auth, API authorization, federated identity.
- Standards & regulations
-
- ISO/IEC 26135:2024 «This specification complements the OpenID Connect Core 1.0 [OpenID.Core] specification by defining how to monitor the End-User's login status at the OpenID Provider.»
- RFC 9560 «OpenID Connect 1.0 [OIDCC] is a decentralized, Single Sign-On (SSO) federated authentication system that allows users to access multiple web resources with one identifier instead of having to create m»
- ISO/IEC 24760-1:2019 «identity federation: arrangement that allows an identity to be verified by an entity other than the one that issued it»
- Sources
-
- OpenID Connect Core 1.0 primary source
- OpenID Connect Discovery 1.0 industry commentary
Related terms
-
DPoP (Demonstration of Proof of Possession) (DPoP)
Demonstration of Proof-of-Possession — IETF RFC 9449, OAuth 2.0 mechanism binding an access token to a private key held …
-
Kerberos
Network authentication protocol developed at MIT (Kerberos v5: IETF RFC 4120, 2005) using symmetric-key cryptography and …
-
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) — distributed system of services, components, and policies supporting cryptographic oper …
-
FAPI 2.0 (Financial-grade API) (FAPI 2.0)
OpenID Foundation Financial-grade API Security Profile 2.0 — high-security authorization profile for financial APIs (ope …
-
mTLS (mutual TLS) (mTLS)
Mutual TLS — both client and server authenticate each other via certificates during TLS handshake. RFC 8705 specifies OA …
-
OAuth 2.1 (OAuth 2.1)
IETF draft consolidating OAuth 2.0 (RFC 6749) with security best practices and deprecating insecure patterns: removes im …
Frequently asked questions
What is the difference between OAuth 2.0 and OpenID Connect?
OAuth 2.0 is an authorization framework: it grants an app limited access to resources. OIDC adds authentication on top, returning an ID token that proves who the user is. Use OAuth for access delegation, OIDC when you need to log a user in.
When should I use OIDC instead of SAML?
Choose OIDC for new web, mobile and API projects: it is JSON/REST-based, lighter, and better suited to native and single-page apps. SAML still makes sense when integrating with enterprise SaaS that only supports it.
Is OpenID Connect secure?
OIDC is secure when implemented correctly: validate token signatures and claims, use PKCE for public clients, keep token lifetimes short, and prefer the authorization-code flow. Most real-world risk comes from misconfiguration, not the protocol.