What is OpenID Connect and How Does it Work?


It seems as though cy­ber se­cu­rity is per­pet­u­ally in our news­feed for one rea­son or an­other (and it’s never a good thing). What of­ten is­n’t in­cluded in these sto­ries is the fun stuff, the the­ory and frame­works for im­ple­ment­ing good se­cu­rity prac­tices.

What is OpenID Connect?

OpenID Connect is an iden­tity layer that al­lows ap­pli­ca­tions to ver­ify the iden­tity of an end user. It sits above OAuth pro­to­col and can be setup to in­cor­po­rate an au­then­ti­ca­tion server (which can se­ri­ously ben­e­fit an ap­pli­ca­tion over the course of its life­time.

The sim­plest way to de­scribe OpenID Connect is to give ex­am­ples. When you first join a prod­uct like Spotify, you’re given the op­tion to cre­ate an ac­count or sign in with Facebook/Google. There is a good chance that the ap­pli­ca­tion is us­ing OpenID Connect.

Authentication vs Authorisation vs Auditing

First things first, when we talk about ap­pli­ca­tion se­cu­rity, there are three main con­cepts to be aware of. This is of­ten re­ferred to as a AAA ap­proach to se­cu­rity.

Authentication is prov­ing that some­one is who they say they are. At times we may have mul­ti­ple fac­tors to prove that you are who you say you are (this is multi-fac­tor au­then­ti­ca­tion). Authorisation on the other hand is that based on who you are, this is what you’re al­lowed to do. This is where we look at per­mis­sion lev­els. Auditing is the abil­ity to de­ter­mine who did what.

When we look at OpenID Connect, we are talk­ing about the au­then­ti­ca­tion process.

If you would like to learn about

The Benefits of OpenID Connect

Straight off the bat, there is a ben­e­fit to not hav­ing your own user ac­counts. By lever­ag­ing some­one else’s, you not only im­prove the user ex­pe­ri­ence (who en­joys man­ag­ing 100 dif­fer­ent ac­counts and pass­words?) but the au­then­ti­ca­tion is done by a third party.

We also men­tioned above that you can cre­ate your own au­then­ti­ca­tion server. Changing the iden­tity provider (or the au­then­ti­ca­tion process in gen­eral) can be tricky. A ded­i­cated server for au­then­ti­ca­tion that can be up­dated sep­a­rately is ex­tremely pow­er­ful. It en­ables you to move closer to that mi­croser­vice ar­chi­tec­ture, with a key con­cern sep­a­rated from the rest of the ap­pli­ca­tion.

OIDC Process

A few key de­f­i­n­i­tions we want to raise be­fore go­ing through the di­a­gram above:

  • Back chan­nel refers to server to server com­mu­ni­ca­tion. This is more se­cure than front chan­nel com­mu­ni­ca­tion as it can’t be in­ter­cepted by a browser redi­rect or dodgy ex­ten­sion.
  • Front chan­nel refers to server to browser com­mu­ni­ca­tion.
  • ID Token is a ref­er­ence to user iden­ti­fi­ca­tion. Most com­monly it is the UID in the data­base but not al­ways.
  • Authorisation code is a to­ken that grants per­mis­sion from the ser­vice provider. It is gen­er­ated at run­time (think of it as an API key).
  • Scope is what the ser­vice provider al­lows you to ac­cess.

Keep in mind this is a very gen­eral overview to the OpenID Connect process. For more de­tailed doc­u­men­ta­tion, head here.

Firstly, the client (let’s use our Spotify ex­am­ple from ear­lier) will send the user to the au­then­ti­ca­tion server with a few query pa­ra­me­ters. This might in­clude the re­turn URL, per­haps a tag if they’re us­ing a dif­fer­ent third party in­te­gra­tion. The scope of in­for­ma­tion that Spotify wants to col­lect will also be sent here. Sometimes this is shown to the user de­pend­ing on the trust­wor­thi­ness of the client.

If the client is­n’t trusted, there may be a re­quire­ment for the user to con­sent to the scope of in­for­ma­tion col­lected. Once logged in, we give them a code and the user is redi­rected back to what­ever the call­back URL was. From the users per­spec­tive, that’s where the jour­ney ends.

On the back chan­nel, the server will ex­change that code for an ac­cess to­ken. Then the client may also use a re­source server to re­quest in­for­ma­tion like the users email or date of birth.

That’s an overview of the OpenID Connect process. For more on ap­pli­ca­tion se­cu­rity, check out our learn­ing space and sub­scribe for up­dates.

Our Way of Working delves into the bread and but­ter of soft­ware de­vel­op­ment, which you can down­load for free be­low.

Discover Software


Yianni Stergou

Get cu­rated con­tent on soft­ware de­vel­op­ment, straight to your in­box.

Adopting a AAA ap­proach to soft­ware se­cu­rity

28 November 2018

Everything You Need to Know as a Cyber Security Beginner

Your vi­sion,

our ex­per­tise