The OpenID Connect protocol extends the OAuth 2.0 protocol to add an authentication and identity layer for application developers. Where OAuth 2.0 provides the application developer with security tokens to be able to call back-end resources on behalf of an end-user; OpenID Connect provides the application with information about the end-user, the context of their authentication, and access to their profile information.
Two new concepts are introduced on top of the OAuth 2.0 authorization framework:
- an OpenID Connect "ID token" which contains information around the user's authenticated session and
- a UserInfo endpoint which provides a means for the client to retrieve additional attributes about the user
OpenID Connect uses the same actors and processes as OAuth 2.0 to get the ID token, and protects the UserInfo endpoint with the OAuth 2.0 framework.