OIDC flows are based on OAuth flows. In an OAuth flow, the end-user provides their credentials to the identity provider. The user receives an authorization prompt, in which they allow the delegated app to reuse their login to the identity provider. OAuth then provides the application an Access Token, which authorizes the user to access an app, but does not contain any information about the user. OIDC also uses an authorization prompt to authenticate a user and provide an ID Token. The ID Token is technically a JSON Web Token (JWT), and includes identifiable information about the user, such as their name and email address. The application can use this ID Token to prove users are authenticated.
When a user authenticates to an application through an identity platform using the OIDC protocol, it sends a token to the application. The application validates and uses the token to sign the user in instead of prompting for a username and password.
The OIDC token grants the user permissions and defines the token scope, and takes this one step further by providing the UserInfo Endpoint, which delivers information about the user, leveraging a set of standard scopes, while allowing customization. An OIDC ID Token includes the following basic claims:
ID Token Claim | Description |
---|---|
sub (subject) | Asserts the user’s identity |
iss (issuer) | Specifies which authority issued the token |
aud (audience) | Specifies for which client the token was generated |
iat (issue time) | Specifies when the token was generated |
exp (expiration time) | Specifies when the token is set to expire |
auth_time (authentication time) | Specifies when the user was authenticated |
acr (authentication encryption) | Specifies the encryption strength used to authenticate the user |
The ID Token provides apps with additional user data, which isn’t a part of the authentication process but is used for functional purposes. The ID Token can include names, emails, and more (see the full list of OIDC standard user claims).