OpenID Connect Explained: How Modern Authentication Actually Works

What is OpenID Connect?

OpenID Connect (OIDC) is an identity authentication protocol built on top of OAuth 2.0. While OAuth 2.0 handles authorization (granting access to resources), OIDC adds an authentication layer — it verifies who the user is. Every time you click "Sign in with Google", "Continue with GitHub", or "Log in with Apple", OpenID Connect is working behind the scenes.

OIDC vs OAuth 2.0: The Key Distinction

This is one of the most common points of confusion in web security:

• OAuth 2.0 answers: "Can this app access this resource on behalf of the user?" — it's about authorization.
• OpenID Connect answers: "Who is this user?" — it's about authentication. OIDC adds an ID Token (a JWT) to the OAuth flow that contains verified identity information.

Core Concepts

Roles in OIDC

• End User: The person authenticating (your app's user).
• Relying Party (RP): Your application — the one requesting authentication.
• OpenID Provider (OP): The identity server that authenticates the user (Google, Auth0, Keycloak, etc.).

Key Tokens

• ID Token: A JWT containing claims about the authenticated user (sub, email, name, iss, aud, exp). This is the core OIDC addition over OAuth 2.0.
• Access Token: Used to call the provider's /userinfo endpoint or your own APIs.
• Refresh Token: Used to obtain new access tokens without re-authentication (when the provider supports it).

The Authorization Code Flow (Step by Step)

The Authorization Code Flow is the most secure and widely recommended OIDC flow for web applications:

1. User clicks "Login" → Your app redirects to the OpenID Provider with parameters: client_id, redirect_uri, scope=openid email profile, response_type=code, and a state value for CSRF protection.
2. User authenticates at the provider (enters credentials, approves scopes).
3. Provider redirects back to your redirect_uri with an authorization code.
4. Your server exchanges the code for tokens by making a back-channel POST request to the provider's token endpoint, including the client_secret.
5. Your server validates the ID Token — checking signature, iss, aud, and exp claims.
6. User is authenticated. Create or look up the user by their sub (subject) claim and establish a session.

The PKCE Extension (Essential for SPAs and Mobile)

For single-page apps and mobile apps where a client_secret cannot be kept confidential, use PKCE (Proof Key for Code Exchange). PKCE replaces the client secret with a cryptographic challenge/verifier pair generated by the client, making it safe to use the Authorization Code Flow in public clients.

Discovery: The .well-known Endpoint

One of OIDC's most useful features is its Discovery document. Every compliant provider publishes its configuration at:

https://accounts.google.com/.well-known/openid-configuration

This JSON document lists all endpoints (authorization, token, userinfo, JWKS), supported scopes, and signing algorithms — making dynamic, provider-agnostic integration straightforward.

Implementing OIDC: Use a Library

Don't implement the OIDC flow manually in production. Use a vetted library:

• Node.js: openid-client (official certified library)
• Python: Authlib or python-jose
• Managed solutions: Auth0, Clerk, Supabase Auth, AWS Cognito

Getting token validation, clock skew handling, and key rotation right is non-trivial. Libraries handle these edge cases so you don't have to reinvent the wheel.