What is OIDC?

30 January 2023

What is OIDC?

OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol. Where OAuth 2.0 enables authorisation, granting access to data and features from one application to another, OIDC authenticates users who have requested access to web applications, establishing a login session containing information about the logged-in user. Introduced by the OpenID Foundation in 2014, many companies have adopted OIDC as an alternative to SAML 2.0 to provide Single Sign-On (SSO) to their users.

OIDC provides a way to authenticate users to web applications, known as Relying Parties (RPs), by redirecting the user’s browser to the login page of an Identity Provider (IdP), then redirecting the user’s browser back to the RP with the outcome of the authentication.

Like SAML, OIDC can return an ID token (in JSON rather than XML format) containing the user’s details via the user’s browser by using the Implicit Flow. As this exposes the ID token via the user’s browser, the Implicit Flow is not recommended and is mainly used by Single Page Applications (SPA) and JavaScript applications that have no ‘back end’ logic on a web server.

The most commonly used OIDC flow is the Authorization Code Flow, where a code is returned to the RP via the user’s browser, then the RP issues a request to the IdP’s token endpoint in order to retrieve the ID token. Doing this prevents the user’s details from being passed via the browser and so reduces the chance of the user’s details being intercepted by a malicious party.

In addition to an ID token, OIDC allows RPs to request an access token in order to provide the RP authorised access to a protected resource such as an API to retrieve additional details relating to the authenticated user.  OIDC also supports the issue of refresh tokens, allowing the RP to request a new ID or access token where the previously issued one has expired.  The refresh token will only be swapped for an ID or access token if the refresh token has not been revoked or expired. This allows the RP to support long-running transactions while maintaining security.

Migrating from SAML

SAML has been a longstanding and widely used global standard, and a number of our clients come to us in later stages of their modernisation journey to migrate to OpenID Connect. We have helped organisations of various sizes by integrating OIDC services with the same centralised identity management system using the Microsoft Azure AD B2C platform, allowing them to offer SAML and OIDC services to the same user base through the use of the same login credential.

Condatis provide a migration path for organisations moving away from SAML to OIDC over time, while also continuing to support legacy services and protect your past investments.

Integrating OpenID Connect

Condatis has extensive experience of integrating OpenID Connect (OIDC) services with a centralised identity management system for organisations across various sectors from healthcare, financial services, enterprises, and government. We help organisations integrate OIDC with Microsoft Azure AD B2C to allow their users to gain access to digital services through the use of a single credential.