# OpenID Connect (OIDC) **OpenID Connect (OIDC)** is an identity layer built on top of OAuth 2.0. It allows clients to verify the identity of an end-user based on authentication performed by an authorization server, and to obtain basic profile information. ## Key Concepts - **OAuth 2.0 Foundation**: OIDC adds an identity layer on top of OAuth 2.0 - **ID Token**: A JSON Web Token (JWT) that proves user identity - **Standardized Claims**: Standard claims like `sub`, `email`, `name`, etc. - **Discovery**: `/.well-known/openid-configuration` endpoint for automatic configuration - **UserInfo Endpoint**: API to retrieve user profile information ## Core Components | Component | Role | |-----------|------| | Relying Party (RP) | The application requesting authentication | | OpenID Provider (OP) | The identity provider authenticating the user | | End-User | The person being authenticated | | ID Token | JWT containing identity claims | | Access Token | OAuth 2.0 token for API access | ## Authentication Flows - **Authorization Code Flow**: For server-side apps; most secure - **Implicit Flow**: For browser-based SPAs (deprecated in favor of PKCE) - **Hybrid Flow**: Combination of authorization code and implicit - **PKCE (Proof Key for Code Exchange)**: Recommended for public clients ## Common Use Cases - "Sign in with Google/Microsoft/Apple/etc." - Single Sign-On (SSO) across applications - B2B/B2C identity federation - API authentication for mobile and web apps - Foundation for [[Solid OIDC]] in decentralized contexts ## Major Providers - Google, Microsoft, Apple, Auth0, Okta, Keycloak (open source) - Decentralized: [[Solid OIDC]] providers ## Resources - OIDC spec: https://openid.net/specs/openid-connect-core-1_0.html - OpenID Foundation: https://openid.net/ ## References - https://openid.net/connect/ ## Related - [[Solid OIDC]] - [[WebID]]