OpenID Connect is an authentication protocol built on top of OAuth 2.0. The OpenID Connect Specification is maintained by the OpenID Foundation and the specification can be found here.
The OAuth specification states that an access_token is an opaque token
and introduces the concept of scopes to limit access.
OpenID Connect builds on this by introducing id_tokens and JWTs (JSON Web Tokens).
It also defines claims, which are structured pieces of information about the authenticated user.
After a user or machine successfully authenticates using OpenID Connect, both an access_token
and an id_token are issued.
Unlike in OAuth 2.0, these tokens have a defined structure and are usually represented as JWTs (JSON Web Tokens).
The JWT standard is described in
RFC 7519.
Both the access_token and the id_token are JWTs that contain claims.
The id_token contains information about the user's identity, such as their name or email address.
The access_token contains information about what the client is authorized to access.
While OAuth defines the concept of token introspection (as specified in RFC 7662), OpenID Connect introduces additional mechanisms for validating the authenticity of tokens.
OpenID Connect uses JSON Web Keys (JWKs) to sign JWTs, as defined in RFC 7517. By validating the signature, a token consumer can verify that the contents of the token have not been tampered with.
Written by: Albert Starreveld
IAM Architect / Cloud Architect / Founder @ Entrypage.io
Published on: 24-04-2025