OpenID Connect extends the OAuth 2.0 protocol to add a simple authentication and identity layer that sits on top of OAuth 2.0.
Use OpenID Connect when you want your cloud-based applications to get identity information, retrieve details about the authentication event (such as when, where, and how the authentication occurred), and to allow federated single sign-on (SSO).
OAuth 2.0 provides security tokens for use when calling back-end resources on behalf of a user. OAuth provides a grant or license the ability to access resources rather than provide information about the authentication itself. Using OAuth for authentication is like an apartment manager giving someone who wants to know your identity a temporary key to your apartment. The key only implies a right to enter the apartment for a specific length of time. It doesn't imply that the individual is the owner.
OpenID Connect ID Token: This token contains information about the user's authenticated session.
UserInfo endpoint: This endpoint provides a way for the client to retrieve additional attributes about the user.
Implementing OpenID Connect
There are three main actions required to implement OpenID Connect:
Get an OpenID Connect ID Token: Use an OAuth2 grant type to request an OpenID Connect ID Token by including the
openidscope in the authorization request.
The following use cases provide example requests and responses for obtaining the ID Token.
Validate the ID Token: Validate the ID Token to ensure that it originated from a trusted issuer and that the contents weren't tampered with during transit.
The following use case provides information on how and what to validate.
Retrieve profile information from the
UserInfoendpoint: Using the OAuth2 Access Token, access the
UserInfoendpoint to retrieve profile information about the authenticated user.
The following use case provides example requests and responses for retrieving profile information from the