OpenID Connect — Explained with Examples

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that verifies a user’s identity and provides basic profile information.

OpenID Connect (OIDC) extends OAuth 2.0 with authentication. While OAuth 2.0 is about authorization (“what can this app do?”), OIDC adds identity verification (“who is this user?”).

Key Difference: OAuth vs OIDC

OAuth 2.0 grants access tokens to access resources. OIDC adds an ID token — a JWT that contains claims about the authenticated user’s identity.

// OIDC ID Token (decoded JWT)
{
  "iss": "https://accounts.google.com",
  "sub": "1234567890",
  "aud": "your-client-id",
  "exp": 1718000000,
  "iat": 1717996400,
  "email": "alice@example.com",
  "email_verified": true,
  "name": "Alice Johnson",
  "picture": "https://example.com/photo.jpg"
}

The ID token contains standard claims: iss (issuer), sub (subject — unique user ID), aud (audience — your app’s client ID), and profile information.

Real-World Analogy

OAuth is like a building access card that opens certain doors. OIDC is that same card but with a photo ID. The card still opens doors (authorization), but now it also proves your identity (authentication). The building security can both verify who you are and check what rooms you’re allowed to enter.

UserInfo Endpoint

OIDC also provides a UserInfo endpoint that returns additional user details when called with a valid access token:

fetch('https://openidconnect.googleapis.com/v1/userinfo', {
  headers: { 'Authorization': 'Bearer ACCESS_TOKEN' }
})
  .then(res => res.json())
  .then(user => {
    console.log(user.name, user.email, user.picture);
  });

Related Terms

OAuth, JWT, SSO, SAML, Authentication vs Authorization