Start with Identity
Standard · stable

OpenID Connect (OIDC)

OpenID Connect Core 1.0OpenID FoundationFinal; published as ITU-T Rec. X.1285 (2025)Official spec ↗

What it is

OpenID Connect (OIDC) is a thin identity layer built on top of OAuth 2.0. Where OAuth gives an app delegated access, OIDC adds standardized authentication: it tells the app that a user logged in and who they are. It is the modern foundation for single sign-on across consumer apps, mobile, and APIs.

How it works

OIDC introduces the ID token, a signed JWT containing claims about the authenticated user (subject identifier, name, email, authentication time). The app validates the token's signature against the provider's published keys (JWKS) and reads the claims. A standard userinfo endpoint returns additional profile data.

  • ID token: proof of authentication, as a JWT.
  • Access token: still OAuth, for calling APIs.
  • Discovery: providers publish configuration at a well-known URL so clients can self-configure.

Status

OIDC Core 1.0 is final and ubiquitous, supported by every major identity provider. It was republished as ITU-T Recommendation X.1285 in 2025. Extensions like the Shared Signals Framework and CIBA continue to evolve.

When to use it

Any time you need to log a user in. Reach for OIDC over raw OAuth for authentication, and over SAML when building modern web, mobile, or API-centric apps.

Pitfalls

  • Always validate the ID token signature, issuer, audience, and expiry.
  • Do not confuse the ID token (authentication) with the access token (authorization).

Related

Guides: OAuth vs OIDC, SAML vs OIDC. Glossary: OIDC, ID token.

OpenID Connect (OIDC): frequently asked questions

What is OpenID Connect (OIDC)?
OpenID Connect is a thin identity layer built on top of OAuth 2.0. Where OAuth grants an app delegated access to resources, OIDC adds standardized authentication: it proves that a user logged in and returns who they are through a signed ID token. It is the modern foundation for single sign-on across web, mobile, and API-centric apps.
What is the difference between OpenID Connect and OAuth 2.0?
OAuth 2.0 is an authorization framework: it lets an app act on a user's behalf without handling their password. OpenID Connect adds authentication on top, telling the app who the user is via an ID token. Use OAuth for delegated access to APIs, and OIDC when you need to log a user in.
What is the difference between an ID token and an access token?
An ID token is proof of authentication, a signed JWT with claims about the user (subject, name, email, authentication time) that the app validates and reads. An access token is an OAuth credential used to call APIs. Do not use an ID token to call APIs, and do not treat an access token as proof of who the user is.
Is OpenID Connect the same as SAML?
No. Both enable single sign-on, but OIDC is a modern JSON and JWT-based protocol suited to web, mobile, and APIs, while SAML 2.0 is an older XML-based standard still common in enterprise federation. New applications generally choose OIDC; SAML persists where enterprise identity providers and legacy integrations require it.
Independent, community-driven reference. Always confirm details against the official specification linked above.