Skip to content

OpenID Connect

OpenID Connection is an extension for OAuth 2.0 and adds authentication capabilities on top of this authorization framework.

The primary additions to OAuth 2.0 are the introduction of an id_token and an userinfo API endpoint.

ID Token

The ID Token is a JWT with identity and authentication information. It provides information about the subject that was authenticated as well as some details about the authentication action.


The Userinfo endpoint is an API that provides user information. Depending on the setup and configured preferences, it provides very much the same information as an id_token. Depending on your use case, you often either use an id_token or the Userinfo endpoint.


Often forgotten but not less important: the logout process. The core specifications of OpenID Connect do not describe the logout process but additional specifications do. has implemented OpenID Connect Front-Channel Logout 1.0.

Authentication Request

In OAuth 2.0 a client issues an authorization request. In OpenID Connect this authorization request is extend and is now referred to as an authentication request.

To goal of an authentication request is to identity the user. At a minimum, and OpenID Authentication request contains a query-parameter scope that includes the value openid. This is what characterizes all authentication requests.

This is an example.

Apart from the OAuth 2.0 parameters, the following OpenID Connect specific parameters are supported by


A required attribute in case the response_type contains id_token. It should contain a random value which ends up in the nonce-claim of the retrieved id_token. It is used to verify the id_token belongs to the initial authentication request.


This attribute is used by to specify the required authentication level. Based on the levels specified, a subset of the configured authentication modules is presented to the user. In case only one module is possible, this module is automatically selected.


Specify the maximum lifetime of the current session.


If present, it should be either login or none.


If present, it should be popup.