Cose up of a mans hand uing a computer mouse

What is OpenID Connect and How Does it Work?

Cybersecurity remains a critical topic, with OpenID Connect (OIDC) being a key component in secure identity management. It is an identity layer on top of the OAuth 2.0 protocol, allowing applications to verify the user’s identity and receive basic profile information. 

What is OpenID Connect? 

OIDC enables applications to obtain end-user authentication without needing to manage user accounts directly. It uses an authentication server that can be updated independently, facilitating a microservices architecture. 

Authentication vs Authorisation vs Auditing 

First things first, when we talk about application security, there are three main concepts to be aware of.  

Authentication is proving that someone is who they say they are. At times we may have multiple factors to prove that you are who you say you are (this is multi-factor authentication). Authorisation on the other hand is that based on who you are, this is what you’re allowed to do. This is where we look at permission levels. Auditing is the ability to determine who did what. 

When we look at OpenID Connect, we are talking about the authentication process. 

Benefits of OpenID Connect in 2024 

OIDC supports a range of flows to suit different application needs, enhancing flexibility and security. It standardises identity management, centralising authentication and reducing the burden of managing multiple accounts. Additionally, the use of ID tokens in OIDC securely transfers information about the user to client applications . 

OIDC Process 

1. Client Initiation: The client directs the user to an authentication server with parameters such as scope and redirect URI. 

2. User Authentication: The server authenticates the user and asks for consent to share requested information. 

3. Code Exchange: A code is generated and sent back to the client via the redirect URI. 

4. Token Exchange: The client exchanges the code for an access token in the back channel. 

5. Resource Access: The client uses the access token to request user information from a resource server. 

 Diagram explaining the OIDC Grant Process using OAuth protocol, showcasing the interaction between the client, authorisation server, resource server, and callback URI, with steps for consent and access token exchange.

A few key definitions we want to raise before going through the diagram above:

  • Back channel refers to server to server communication. This is more secure than front channel communication as it can’t be intercepted by a browser redirect or dodgy extension.
  • Front channel refers to server to browser communication.
  • ID Token is a reference to user identification. Most commonly it is the UID in the database but not always.
  • Authorisation code is a token that grants permission from the service provider. It is generated at runtime (think of it as an API key).
  • Scope is what the service provider allows you to access.

Keep in mind this is a very general overview to the OpenID Connect process.

OIDC’s flexibility, combined with robust security practices, makes it a powerful tool for managing user identities in modern applications. 


All Rights Reserved. 2024 WorkingMouse Pty Ltd. All Rights Reserved.