OpenID connect (OIDC) is a simple extension to the OAuth2 protocol, which lets a server include more information about the authenticated user (canonical ID, username, email, etc).
At the very simple level, this lets you quickly populate a new user account without making additional requests. However, since these ID tokens are signed, it lets you do a whole lot more.
For example, you can pass these tokens around when making API requests in a modern micro service environment – each micro service will be able to securely authenticate the user that is making the request independently.
The client will validate and use OIDC tokens when authenticating against a server, and the Known OAuth server will now generate OIDC tokens for users authenticating against a Known OAuth2 application.
Requesting OIDC from the client
OIDC tokens are not automatically provided, so you need to request them. Do this by adding
openid to your list of scopes. I also suggest you add
profile to your scopes too, so you get some actually useful information about the authenticating user.
You’ll also need to provide a URL for where to get the public key for the issuing server. This isn’t terribly slick, but I intend to improve this going forward with some nice auto discovery.
Issuing OIDC from the server
All new applications will have the necessary information to start issuing OIDC tokens.
A new key pair will automatically be generated, and you’ll be able to get public key information from: