Skip to content

Identity term · last reviewed 2026-07-07

OIDC

Also known as: OpenID Connect

OIDC (OpenID Connect) is a thin authentication layer built on OAuth 2.0 that adds an ID token, a signed JWT the client reads to verify who the user is; it powers most modern consumer login.

How it works

OpenID Connect (OIDC) is a thin authentication layer built on top of OAuth 2.0. It reuses OAuth's Authorization Code flow and endpoints, then adds one crucial artifact: the ID token, a signed JWT the client is meant to read. The ID token carries claims like sub (a stable user ID), iss (issuer), aud (audience), and expiry, so the client can verify who logged in. OIDC also standardizes a /userinfo endpoint and a discovery document at /.well-known/openid-configuration. The spec is OpenID Connect Core 1.0, maintained at openid.net.

When it matters

OIDC matters whenever you need to know who the user is, which plain OAuth never tells you reliably. "Sign in with Google" and "Sign in with Apple" are OIDC under the hood. For new consumer, mobile, and single-page app logins, OIDC with Authorization Code plus PKCE is almost always the right modern choice. It is also increasingly accepted for enterprise SSO alongside SAML. See OAuth 2.0 vs OIDC vs SAML.

Common misconceptions

  • "OIDC and OAuth are the same." OIDC is authentication; OAuth is authorization. OIDC is built on OAuth but adds identity.
  • "OIDC fully replaces SAML for enterprise." Technically capable, but many corporate identity providers and procurement checklists still require SAML by name.
  • "The access token proves identity." No. Read the ID token for identity; the access token is for calling APIs.
← All terms