Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiffwzqwrovbfbfsoa4j3oqi66deode7cutslnl4dwmnhkx5yuszdi",
    "uri": "at://did:plc:5sgu76a53rz3n6unbykmovqy/app.bsky.feed.post/3mloettqp7fa2"
  },
  "description": "OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0. Where OAuth defines authorization (who can access what), OIDC defines authentication (who the user is) by adding a standardized ID Token, a defined set of user claims, and a UserInfo endpoint.\n\n\nHow it works\n\nOIDC reuses the OAuth 2.0 Authorization Code flow with one addition: when the client requests the openid scope, the authorization server returns an ID Token alongside the access token. The ID Token is a signed JWT c",
  "path": "/engineering-glossary/oidc-openid-connect/",
  "publishedAt": "2026-05-12T18:04:50.000Z",
  "site": "https://sahilkapoor.com",
  "tags": [
    "OpenID Connect Core 1.0",
    "OAuth 2.0",
    "JWT",
    "Authorization Server",
    "Bearer Token",
    "Session",
    "PKCE",
    "SAML"
  ],
  "textContent": "**OpenID Connect (OIDC)** is an authentication layer built on top of OAuth 2.0. Where OAuth defines authorization (who can access what), OIDC defines authentication (who the user is) by adding a standardized ID Token, a defined set of user claims, and a UserInfo endpoint.\n\n## How it works\n\nOIDC reuses the OAuth 2.0 Authorization Code flow with one addition: when the client requests the `openid` scope, the authorization server returns an **ID Token** alongside the access token. The ID Token is a signed JWT containing claims about the authenticated user (such as `sub`, `email`, `name`) and the authentication event (`iss`, `aud`, `exp`, `iat`, `nonce`). The client validates the signature and uses the claims to establish a session.\n\n## Common scopes\n\n  * `openid`: required to trigger OIDC behaviour\n  * `profile`: name, picture, preferred_username\n  * `email`: email and email_verified\n  * `address`, `phone`: postal address and phone number\n  * `offline_access`: requests a refresh token for offline use\n\n\n\n## Specification\n\nDefined by the OpenID Connect Core 1.0 specification, with complementary specs covering discovery, dynamic client registration, session management, and logout.\n\n🔗\n\n**Related Terms**\nOAuth 2.0, JWT, Authorization Server, Bearer Token, Session, PKCE, SAML.",
  "title": "OIDC (OpenID Connect)",
  "updatedAt": "2026-05-13T19:15:17.328Z"
}