OpenID Connect (OIDC) is the authentication layer that sits on top of OAuth 2.0. Where OAuth 2.0 answers the question of what an application is allowed to do, OpenID Connect answers the question of who the user is. It was first published in February 2014 by the OpenID Foundation as OpenID Connect Core 1.0; the specification has since been maintained with errata.
The specification defines its own purpose plainly: “OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” In practice this means a relying party can delegate sign-in to an identity provider and trust the result, rather than managing passwords itself.
The central new artifact OpenID Connect adds is the ID Token. Per the spec, “The ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims. The ID Token is represented as a JSON Web Token (JWT).” Its claims include an issuer, a subject identifier for the user, an audience, and timestamps for when the user authenticated and when the token expires, all signed so the relying party can verify them.
Because it reuses OAuth 2.0’s flows and message formats, OpenID Connect was straightforward for existing OAuth providers to adopt. A client runs an OAuth authorization request, asks for the special “openid” scope, and receives an ID Token alongside the access token. A standardized UserInfo endpoint then lets the client fetch additional profile claims.
OpenID Connect became the dominant protocol for consumer and modern web single sign-on, underpinning the “sign in with” experiences offered by major identity providers. It coexists with the older, XML-based SAML standard, which remains common in enterprise federation, while OIDC’s JSON-and-JWT design fit naturally with the REST APIs and mobile applications that grew up around it.