OpenID Connect (OIDC)

OpenID Connect (OIDC) is an authentication protocol built on top of OAuth 2.0. While OAuth 2.0 handles authorization, OIDC adds a standardized identity layer that lets an application verify who a user is and obtain basic profile information through an ID token. OIDC is widely used for modern web and mobile single sign-on, including consumer logins such as "Sign in with Google."

How OIDC works

• The application redirects the user to an OIDC-compliant identity provider.
• The user authenticates with the IdP.
• The IdP returns an ID token (a signed JWT) plus an OAuth access token.
• The application validates the ID token to confirm the user's identity.
• The user is logged in, and the access token can be used for authorized API calls.

OIDC vs SAML

Examples and use cases

A SaaS product offers "Sign in with Google" through OIDC, so users authenticate with their existing Google identity instead of a new password. For IT, OIDC and SAML often coexist: newer tools speak OIDC, older enterprise apps speak SAML. Governance has to span both, plus the apps that support neither.

Related concepts

• OAuth 2.0 and SAML
• Single Sign-On (SSO) and Identity Provider (IdP)
• Live article: Understanding SCIM and SAML in under 5 minutes
• Live solution: Corma for IT teams

FAQ

What is the difference between OAuth 2.0 and OIDC?

‍OAuth 2.0 grants authorization to resources. OIDC sits on top of it and adds authentication, telling the app who the user is.

Is OIDC replacing SAML?

‍Not entirely. OIDC leads for modern and mobile apps, while SAML stays dominant across established enterprise web applications. Most companies run both.

What is an ID token?

‍A signed JSON Web Token issued by the IdP that proves the user's identity to the application.

Corma governs access whether your apps use OIDC, SAML, or neither. Explore Corma for IT teams or request a demo.