eastbaycyber

What Is OIDC?

Glossary 5 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

OIDC, short for OpenID Connect, is an identity layer built on top of OAuth 2.0 that lets applications verify who a user is and receive basic profile information in a standard way. In practice, OIDC is one of the core technologies behind modern single sign-on (SSO), especially for cloud apps, workforce identity, and customer sign-in experiences.

If you are comparing protocols, it also helps to read what is oauth 2 0 and what is sso, since OIDC is often discussed alongside both.

OIDC definition

OIDC adds authentication to OAuth 2.0.

That distinction matters:

  • OAuth 2.0 focuses on authorization
  • OIDC adds authentication

In simple terms, OAuth helps answer, “Can this app access this resource?” OIDC helps answer, “Who is this user?”

How OIDC works

OIDC usually involves three main parties:

  • The user
  • The application, often called the client or relying party
  • The identity provider, or IdP

A typical OIDC sign-in flow looks like this.

User requests access to an application

The user opens an application that relies on an identity provider for sign-in. Instead of managing a local password database, the app redirects the user to the identity provider.

Identity provider authenticates the user

The identity provider verifies the user with one or more login methods, such as:

  • Username and password
  • Multi-factor authentication
  • Passkey or biometrics
  • Smart card or certificate
  • Device or risk-based checks

Because authentication happens at the identity provider, policies can be enforced centrally across many applications.

Identity provider returns tokens

After successful authentication, the identity provider returns one or more tokens to the application. The most important OIDC-specific token is the ID token.

An ID token may include claims such as:

  • The user’s identity
  • Which provider authenticated them
  • When authentication occurred
  • Which application the token is for
  • When the token expires

The application validates the token before creating a session for the user.

Application grants access

Once the app verifies the token, the user is signed in. In some cases, the application also receives an access token so it can call APIs or retrieve additional user details.

Why OIDC matters

OIDC gives organizations a standardized way to handle sign-in across web apps, mobile apps, and cloud platforms.

That makes it useful for:

  • Implementing SSO consistently
  • Centralizing authentication policy
  • Enforcing MFA and conditional access
  • Reducing password sprawl
  • Improving visibility into login events
  • Simplifying integration with identity providers

Instead of every application inventing its own login system, many can rely on the same identity layer.

OIDC vs OAuth 2.0

OIDC and OAuth 2.0 are closely related, but they are not interchangeable.

OAuth 2.0

OAuth 2.0 is mainly about delegated authorization. It lets an app access a resource on a user’s behalf without exposing the user’s password.

OIDC

OIDC builds on OAuth 2.0 and adds a standard way to authenticate the user. It introduces the ID token and related identity flows so the application can confirm who signed in.

A common mistake is treating an OAuth access token as proof of identity. That can create design and security issues if the app does not actually validate the user through OIDC.

Common OIDC components

Several terms appear often in OIDC discussions.

Identity provider

The IdP is the system that authenticates the user and issues tokens to the application.

Client

The client is the application the user wants to access. It relies on the identity provider for authentication.

ID token

The ID token contains identity claims about the authenticated user. It is central to OIDC.

Access token

The access token is used to access protected APIs or resources. It often appears alongside OIDC, but its purpose is different from the ID token.

UserInfo endpoint

Some OIDC setups allow the application to retrieve additional user claims from a dedicated endpoint after authentication.

When you will encounter OIDC

You will encounter OIDC in most modern identity environments, especially when organizations want centralized authentication and better access control.

SaaS and workforce SSO

If employees sign in to business apps through a central identity platform, OIDC is often one of the protocols involved.

Customer identity and app sign-in

Many consumer and business applications use OIDC for “Sign in with” flows or centralized customer identity systems.

Cloud and API-driven environments

OIDC fits well with modern architectures built around web apps, mobile apps, APIs, and token-based services.

Identity modernization projects

Organizations replacing older authentication patterns often adopt OIDC as part of SSO, zero trust, and cloud migration efforts.

Security reviews and incident response

Security teams may need to understand OIDC when reviewing app integrations, investigating token misuse, or evaluating how sessions are established and trusted.

Security considerations with OIDC

OIDC is widely used and generally strong when implemented correctly, but the details still matter.

Important areas to review include:

  • Proper token validation
  • Secure redirect URI handling
  • Strong session management
  • MFA enforcement at the identity provider
  • Careful claim and scope handling
  • Secure account recovery processes

For organizations strengthening identity security overall, using a password manager like 1Password can help reduce weak password practices in systems that have not yet moved to passwordless authentication. Endpoint protection such as Malwarebytes can also help reduce the risk of infostealers and other malware that target browser sessions and credentials.

Bottom line

OIDC is a modern authentication protocol that lets applications trust a central identity provider to verify users and support SSO. If OAuth 2.0 helps an app get permission, OIDC helps the app know who just signed in.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.