OIDC = OAuth 2.0 + Authentication

• Allows a client app to verify the user’s identity (know who is the user) in addition to granting access to resources.
• Introduces ID Token. (JWT with user identity )

OIDC Workflow:

1. At step of authorization request (first request)

   • mention scope=openid (tells server we want authentication)

   GET/authorize?
   response_type=code
   &client_id=CLIENT_ID
   &redirect_uri=REDIRECT_URI
   &**scope=openid** profile email
   &state=RANDOM_STRING
   &code_challenge=CODE_CHALLENGE
   

2. After user login, grant permissions, server redirect back with auth_code, now when at the step use auth_code to exchange access token , server returns access_token + id_token:

   {
   	"access_token":"eyJhbGciOi...",
   	**"id_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",**
   	"refresh_token":"xyz123",
   	"token_type":"Bearer",
   	"expires_in":3600
   }
   

3. User is authenticated without needing the app to handle passwords

   // Decode jwt token
   {
   	"sub":"1234567890", // unique user id
   	"name":"John Doe",
   	"email":"[email protected]",
   	"iss":"<https://accounts.google.com>", // issuer
   	"aud":"CLIENT_ID", // intended client (must match your client ID)
   	"exp":1618888888
   }