Skip to main content
Didit Raises $7.5M to Build the Infrastructure for Identity and Fraud
Didit
Back to blog
Blog · March 25, 2026

OpenID Connect: A Developer's Guide to Identity Data

Learn how OpenID Connect (OIDC) builds on OAuth 2.0 to provide a secure and standardized way to verify user identity and obtain identity data. This guide covers claims, flows, and implementation details.

By DiditUpdated
openid-connect-identity-data.png

OpenID Connect: A Developer's Guide to Identity Data

In today’s interconnected digital landscape, securely managing user identity is paramount. While OAuth 2.0 excels at authorization – granting applications access to resources on behalf of a user – it doesn't inherently provide information about the user. That's where OpenID Connect (OIDC) comes in. OIDC is an identity layer built on top of OAuth 2.0, providing a standardized way to verify user identity and obtain basic profile information. This guide will delve into the core concepts of OpenID Connect, its benefits, and practical implementation considerations for developers.

Key Takeaways

OIDC builds on OAuth 2.0: OIDC leverages the OAuth 2.0 framework for authentication and authorization, adding an identity layer.

Identity Tokens (ID Tokens): JWT-based ID Tokens securely transmit verified user identity data.

Claims: OIDC uses 'claims' to represent pieces of user information, standardized for interoperability.

Standardized Flows: OIDC defines several flows for different application types (web, mobile, native) to streamline integration.

What is OpenID Connect?

OpenID Connect (OIDC) is an authentication layer on top of the OAuth 2.0 authorization framework. It provides a standardized method for applications to verify the identity of an end-user based on the authentication performed by an Authorization Server. Crucially, OIDC introduces the concept of the ID Token, a JSON Web Token (JWT) that contains claims about the authenticated user. These claims provide essential identity data, such as the user’s name, email address, and profile picture. Unlike OAuth 2.0 access tokens which grant access to resources, ID Tokens are specifically designed for asserting user identity.

Think of OAuth 2.0 as the key to unlock a door (accessing resources), and OIDC as a badge that proves who you are before you're given the key. Without OIDC, the application only knows that a user is authorized; with OIDC, it knows who the user is.

Understanding OIDC Claims

Claims are the fundamental building blocks of identity data in OIDC. They are statements about the user, such as their name, email, or address. OIDC defines a set of standard claims, ensuring interoperability between different identity providers (IdPs) and applications. Commonly used claims include:

  • sub: Subject identifier – a unique ID for the user.
  • name: User's full name.
  • given_name: User's first name.
  • family_name: User's last name.
  • email: User's email address.
  • picture: URL of the user's profile picture.
  • aud: Audience – the client ID of the application receiving the ID Token.
  • iss: Issuer – the URL of the Authorization Server that issued the ID Token.
  • exp: Expiration time – the timestamp after which the ID Token is invalid.

Applications can request specific claims during the authentication process. The IdP will then include only the requested claims in the ID Token, minimizing the amount of information shared. Custom claims can also be defined, but standardized claims are highly recommended for maximum compatibility.

OIDC Flows: Authorization Code Flow with PKCE

OIDC supports several flows, each tailored to different application types. The most common and recommended flow for modern web applications is the Authorization Code Flow with Proof Key for Code Exchange (PKCE). This flow provides enhanced security against authorization code interception attacks.

Here's a simplified overview:

  1. The application generates a code verifier and a code challenge.
  2. The application redirects the user to the Authorization Server with the code challenge.
  3. The user authenticates with the Authorization Server.
  4. The Authorization Server redirects the user back to the application with an authorization code.
  5. The application exchanges the authorization code and code verifier for an ID Token and access token.
  6. The application validates the ID Token and uses the claims to identify the user.

Integrating OIDC with Didit

Didit simplifies OIDC integration with a comprehensive platform and developer-friendly APIs. Our platform handles the complexities of OIDC, allowing you to focus on building your application. Key features include:

  • Pre-built OIDC Connectors: Seamless integration with popular identity providers like Google, Facebook, and Microsoft.
  • Customizable Claims: Request specific claims tailored to your application's needs.
  • Secure Token Validation: Automated validation of ID Tokens to ensure authenticity.
  • Workflow Orchestration: Build custom identity flows incorporating OIDC authentication.

With Didit, developers can quickly and securely implement OIDC authentication in their applications, reducing development time and improving security posture.

How Didit Helps

Didit provides a full-stack identity platform that simplifies the complexities of OpenID Connect. We handle the heavy lifting of OIDC implementation, allowing developers to:

  • Reduce Development Time: Pre-built connectors and intuitive APIs accelerate integration.
  • Enhance Security: Secure token validation and PKCE support protect against common attacks.
  • Improve User Experience: Seamless authentication flows minimize friction for users.
  • Scale with Confidence: Didit’s platform is designed to handle high volumes of authentication requests.

Ready to Get Started?

Ready to leverage the power of OpenID Connect and streamline your application's authentication process?

Sign up for a free Didit account and explore our comprehensive documentation at Didit Docs. Start building secure and scalable applications today!

FAQ

What is the difference between OAuth 2.0 and OpenID Connect?

OAuth 2.0 is an authorization framework that allows applications to access resources on behalf of a user. OpenID Connect is an identity layer built on top of OAuth 2.0 that provides a standardized way to verify user identity and obtain identity data.

What is an ID Token?

An ID Token is a JSON Web Token (JWT) that contains claims about the authenticated user. It is issued by the Authorization Server after successful authentication and is used by the application to identify the user.

What are claims in OIDC?

Claims are statements about the user, such as their name, email address, and profile picture. OIDC defines a set of standard claims to ensure interoperability between different identity providers and applications.

Is OIDC secure?

Yes, OIDC is a secure protocol when implemented correctly. The Authorization Code Flow with PKCE is the recommended flow for modern web applications, as it provides enhanced security against authorization code interception attacks. Using a trusted Identity Provider and validating the ID token are crucial for security.

Infrastructure for identity and fraud.

One API for KYC, KYB, Transaction Monitoring, and Wallet Screening. Integrate in 5 minutes.

Start freeTalk to us
Ask an AI to summarise this page
OpenID Connect: A Developer's Guide.