OpenID Connect (OIDC)
OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0 that adds identity verification. It allows applications to verify the identity of end users and obtain profile information in an interoperable way.
# WHAT TEAMS RUN INTO
- —
OIDC implementations vary in how strictly they validate signatures and claims. Some applications check everything, others skip critical validations, and the security of OIDC depends on the application's implementation.
- —
OIDC tokens can be captured and replayed if transmitted insecurely. Tokens are JWTs that contain claims about the user — if captured, they can be replayed to access the application.
- —
OIDC scope management mirrors OAuth problems. Applications request broad scope and users approve reflexively, not understanding what identity information is being shared.
# WHY IT MATTERS
OIDC filled the gap that OAuth 2.0 left — it enables authentication, not just authorization. OIDC is the modern way applications authenticate users through identity providers. But OIDC security depends on applications validating tokens correctly and protecting tokens from theft. When applications are careless about token validation or protection, OIDC becomes as weak as the weakest implementation.