Developer Resources

What is OpenID Connect

The OpenID Connect protocol extends the OAuth 2.0 protocol to add an authentication and identity layer for application developers. Where OAuth 2.0 provides the application developer with security tokens to be able to call back-end resources on behalf of an end-user; OpenID Connect provides the application with information about the end-user, the context of their authentication, and access to their profile information.

Two new concepts are introduced on top of the OAuth 2.0 authorization framework:

  • an OpenID Connect "ID token" which contains information around the user’s authenticated session and

  • a UserInfo endpoint which provides a means for the client to retrieve additional attributes about the user

OpenID Connect uses the same actors and processes as OAuth 2.0 to get the ID token, and protects the UserInfo endpoint with the OAuth 2.0 framework.

Application Developer Considerations

There are three main actions an application developer needs to handle to implement OpenID Connect:

  1. Get an OpenID Connect id_token By leveraging an OAuth2 grant type, an application will request an OpenID Connect id_token by including the "openid" scope in the authorization request.

  2. Validate the id_token Validate the id_token to ensure it originated from a trusted issuer and that the contents have not been tampered with during transit.

  3. Retrieve profile information from the UserInfo endpoint Using the OAuth2 access token, access the UserInfo endpoint to retrieve profile information about the authenticated user.