OpenID Connect (OIDC) - Overview

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 authorization protocol. It facilitates third-party apps(clients) in verifying user's identity as well as accessing their basic profile information.

Now, let's familiarize ourselves with few terminologies before understanding how OIDC works:

OpenID Provider (OP)

Claims

ID token

Access token

JSON Web Key (JWK) Endpoint

Refresh token

Authorization Endpoint

Token Endpoint

User Info Endpoint

Discovery Endpoint

OpenID Provider (OP)

An OAuth 2.0 authorization component that helps in authenticating the user and providing user information to the client requesting these information.

Claims

Any information about the user sent in OIDC flow is called as claims.

ID token

JSON Web Tokens that contain information about the user and the authentication performed.

Access token

Token used to access user information from the resource server of OP.

Refresh token

Token used to get new access token once the previously provided access token gets expired.

Authorization Endpoint

Where the user authenticates themselves and grants permission to access certain information about them.

Token Endpoint

Where RP exchanges the Authorization Code received from OP for ID token, access token, and/or refresh token.

User Info Endpoint

Where RP requests user information(claims) about the user by providing the access token.

Discovery Endpoint

Where all the configuration details related to OP are displayed.

JSON Web Key (JWK) Endpoint

Where RP receives certain keys to verify the authenticity of the tokens received.

Relying Party (RP)/ Client

Scope

Authorization code

Redirect URI

Sign-out Endpoint

Relying Party (RP)/ Client

The client application that requests user authentication and user information from the OpenID provider.

Scope

Parameter used in authentication and authorization requests that defines what type of user information is required.

Authorization code

Code sent by the authorization endpoint to the client in the authentication response, which can then be exchanged at Token Endpoint for ID token and access token.

Redirect URI

URL to which the authorization endpoint sends the authentication and authorization response.

Sign-out Endpoint

Endpoint used to logout the users from the current authenticated session.

Prerequisites for clients:

Clients(Relying Party) should have registered themselves with the Resource Provider (OpenID Provider) and gotten their Client ID and Client Secret from OpenID Provider.

Basic OIDC flow:

Relying Party requests the Authorization Endpoint of OpenID Provider to authenticate the user and get user's authorization to access certain user information. After authenticating the user and obtaining authorization, the authorization endpoint sends an ID token and access token to the Relying Party.

The method used for this token exchange varies based on the Relying Party (RP) type and the authentication flow chosen. We will explore about the RP types and the recommended authentication flows for each in the later sections of this article.

RP requests user information (claims) to the UserInfo Endpoint of the OP with the access token. OP sends the consented claims to the RP.

Relying Party types and recommended authentication flows:

Regular Web Application (MPA) and Authorization Code flow:

These applications run on a server and send new page requests to the server for each action. These applications can store client secrets securely; hence, they are also referred to as Confidential Clients. The optimal authentication flow recommended for MPAs is Authorization Code Flow.

In this flow, RP(client) requests the Authorization Endpoint of OP to authenticate the user and get authorization to access certain user information. After authenticating the user and obtaining authorization, the authorization endpoint sends Authorization Code to the client.The client then exchanges this authorization code for ID token and access token (if requested, refresh token as well) at the token endpoint of OP. The client retrieves required user information(claims) from the ID token.

Single-Page Application (SPA) and Implicit flow

SPAs are modern web applications that loads the required section based on your action. These applications typically run on the client side after initially retrieving all the necessary resources from the server. They are also referred to as public clients, and they can't store client secrets securely as their entire source is on a browser. The suggested authentication flow for SPAs is the Implicit Code Flow.

In this flow, client(RP) requests Authorization Endpoint of OP to authenticate the user and get authorization to access certain user information. After authenticating the user and obtaining authorization, the authorization endpoint sends the ID token directly to the client. If requested, they also send access and refresh tokens. The client retrieves necessary user information from the ID token. Token endpoint is not used in this flow.

Native Applications and PKCE flow

Native applications are the ones installed directly on the specific device. They are also known as public clients. They can't store their secrets securely, as they are directly installed onto a device, and the applications can be decompiled by anyone to access the client secrets. The flow recommended for native apps is Authorization Code Flow with Proof Key for Code Exchange (PKCE).

In this flow, the client(RP) generates a Code Verifier(a random string) and a Code Challenge (hashed version of the code verifier using any hashing method). Along with the authorization request sent to the Authorization endpoint of OP, the client also sends the code verifier. After authenticating the user and obtaining authorization, the authorization endpoint sends the Authorization Code to the client. At the token endpoint of OP, the client provides this authorization code along with the Code Challenge and the hashing method used to hash the code verifier. The token endpoint then dehashes the code challenge using the mentioned hashing method and checks whether the answer and the code verifier matches, to verify that it received the authorization code from the same client who sent authorization request.The token endpoint then provides the ID token and access token (if requested, refresh token as well). The client gets required user information from the ID token.

Create. Review. Publish.

Write, edit, collaborate on, and publish documents to different content management platforms.

Get Started Now

Access your files securely from anywhere

Zoho CRM Training Programs

Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.

Redefine the way you work

with Zoho Workplace

Start your free trial

Zoho DataPrep Personalized Demo

If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

Create, share, and deliver

beautiful slides from anywhere.

Get Started Now

Zoho Sign now offers specialized one-on-one training for both administrators and developers.

BOOK A SESSION

Zoho Workerly Home
Forums
Connect With Us:

Zoho Recruit Home
Forums
Connect With Us:

Start tracking your website metrics today

Use PageSense to understand what your visitors are looking for, how they are behaving, and where they are facing problems on your website.

Ready to improve your website's performance?

Install the PageSense code snippet on your site in a matter of minutes and start collecting in-depth data about the website visitors to grow your business.

Track and measure every business goal

Set up goals in PageSense to measure every single action performed by visitors on your website like button or link clicks, form submissions, and page engagements.

Understand the customer journey on your website

Create funnels in PageSense to quickly see which pages visitors use to enter your website, where they navigate to next, and which pages they decide to leave without converting.

Visualize your visitor's behavior with color codes

Set up heatmaps in PageSense to see where users have clicked more, how far they've scrolled, and on which parts of a page they've spent the most time using color-coded patterns in reports.

Measure customer engagement with your web forms

Use form analytics in PageSense to see how people interact with different fields in your form, whether they complete the form successfully or not, and where exactly they drop out on your form.

Record real visitor interactions on your website

Use session recordings in PageSense to watch a video of all the visitor actions performed on your website including the pages they navigate, the buttons they click, the UX issues they face, and more.

Test and optimize webpages for better conversions

Run A/B or Split URL tests in PageSense to figure out which version of your web page works best for your business and results in the best conversion rate.

Give each customer a unique website experience

Use personalization in PageSense to deliver customized versions of your website for every individual customer based on their demographics, local weather, browsing history, and more.

Grow your business through customer feedback

Run polls on your website using PageSense to understand what your customers think about your products/services and what needs improvement on your site.

Send timely updates that customers love

Use web push notifications in PageSense to schedule and notify your customers about an upcoming flash sale, product releases, promotional coupons, and a lot more that can spark conversions on your website.

Advertise your business to website visitors

Use pop-ups in PageSense to instantly grab the attention of visitors by showing attractive signup offers, coupon code discounts, or email newsletters that can eventually convert them into subscribers.

Access more advanced settings in PageSense

Use PageSense's advanced features like creating mutually exclusive groups, enabling cross-domain tracking, configuring customized project JS, and more to get deeper insights about your website.

Try easy-to-use extensions

Download the PageSense extension app available for your web browser with a few clicks and start collecting all of your required website metrics in real time.

Discover your favorite integrations with PageSense

Get a deeper look at your website's data by seamlessly integrating PageSense with a host of popular third-party apps like Google Analytics, Mixpanel, Intercom, and more.

Quick Links	Workflow Automation	Data Collection
Web Forms	Retail	Online Data Collection Tool
Embeddable Forms	Banking	Begin Data Collection
Interactive Forms	Workplace	Data Collection App
CRM Forms	Customer Service	Forms for Solopreneurs
Digital Forms	Marketing	Forms for Small Business
HTML Forms	Education	Forms for Enterprise
Contact Forms	E-commerce	Forms for any business
Lead Generation Forms	Healthcare	Forms for Startups
Wordpress Forms	Customer onboarding	Forms for Small Business
No Code Forms	Construction	RSVP tool for holidays
Free Forms	Travel	Features for Order Forms
Prefill Forms	Non-Profit	Forms for Government
Intake Forms	Legal	Mobile App
Form Designer	HR	Mobile Forms
Card Forms	Food	Offline Forms
Assign Forms	Photography	Mobile Forms Features
Translate Forms	Real Estate	Kiosk in Mobile Forms
Electronic Forms	Insurance
Drag & drop form builder
Notification Emails for Forms	Alternatives	Security & Compliance
Holiday Forms	Google Forms alternative	GDPR
Form to PDF	Jotform alternative	HIPAA Forms
Email Forms	Wufoo alternative	Encrypted Forms
Accessible Forms	Typeform alternative	Secure Forms
		WCAG

Quick Links

New to Zoho Writer?

Signup Now

Zoho Writer

What's new

Help Guide

Blogs

Forums

Webinars

API

Developers

Build Extensions

Create. Review. Publish.

Write, edit, collaborate on, and publish documents to different content management platforms.

Get Started Now

Zoho Campaigns Resources

Campaigns Community Learning Series

New to Zoho CRM Plus?

Deliver unforgettable customer experiences

ACCESS ZOHO CRM PLUS

New to Zoho CRM Plus?

Deliver unforgettable customer experiences

ACCESS ZOHO CRM PLUS

New to Zoho Marketing Plus?

Everything you need to run your marketing

ACCESS ZOHO MARKETING PLUS

New to Zoho Marketing Plus?

Everything you need to run your marketing

ACCESS ZOHO MARKETING PLUS

Zoho Pagesense Resources

You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.

New to Zoho Survey?

Access Zoho Survey

Latest Feature Updates

Explore our Pricing & Plans

Zoho Survey Resources

Android Mobile Surveys

Insurvey Blogs

Insight Blogs

Tips & Tricks

New to Zoho Social?

Manage your brands on social media

Access Zoho Social

New to Zoho Desk?

Access Zoho Desk

What's New in Zoho Desk

Use cases

Make the most of Zoho Desk with the use cases.

Learn More

eBooks

Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho Desk.

Download eBooks

Videos

Watch comprehensive videos on features and other important topics that will help you master Zoho Desk.

Watch Now

Webinar

What's New in Zoho Desk

Desk Community Learning Series
Meetups
Ask the Experts
Kbase
Resources
Glossary
Desk Marketplace
MVP Corner

Zoho Sheet Resources

New to Zoho Forms?

Latest Feature Updates

Explore our Pricing & Plans

Zoho Forms Resources

Secure your business

communication with Zoho Mail

Get started

Mail on the move with

Zoho Mail mobile application

Go Mobile

Stay on top of your schedule

at all times

Get started

Carry your calendar with you

Anytime, anywhere

Get started

Latest Announcements

New to Zoho Sign?

Zoho Sign Resources

Sign, Paperless!

Sign and send business documents on the go!

Get Started Now

Zoho SalesIQ Resources

New to Zoho TeamInbox?

Zoho TeamInbox Resources

Connect with us

New to Zoho ZeptoMail?

LEARN MORE

Latest Feature Updates

Zoho DataPrep Resources

New to Zoho DataPrep?

Access Zoho DataPrep

Zoho DataPrep Demo

Get a personalized demo or POC

Design. Discuss. Deliver.

Create visually engaging stories with Zoho Show.

Get Started Now

New to Zoho Workerly?

Access Zoho Workerly

New to Zoho Recruit?

Access Zoho Recruit

New to Zoho CRM?

Signup Now

Access Zoho CRM

Latest Feature Updates

New to Zoho Projects?

Access Zoho Projects

New to Zoho Sprints?

Access Zoho Sprints

New to Zoho Assist?

Access Zoho Assist

New to Bigin?

Signup Now

Access Bigin

Latest Feature Updates

Related Articles
Adding apps - Overview
General Info: The Free plan allows you to add only up to 3 non-Zoho apps. Zoho Directory supports adding and managing five different types of apps: Directory apps These are pre-integrated SSO apps available in the app directory. SAML custom apps ...
Using Open ID Connect (OIDC) in Zoho Directory
As an OpenID provider, Zoho Directory (ZD) can help you in authenticating the users and getting authorization to access users profile information securely. This is done through the OIDC authentication protocol. Learn more about OIDC. In Zoho ...
Adding a custom OIDC app
The Free plan allows you to add only up to 3 non-Zoho apps. Check our app directory to see if the app you need is already integrated with Zoho Directory, or request an integration. In Zoho Directory, you can configure OpenID Connect (OIDC) for any ...
Add bookmarked custom app
General Info: The Free plan allows you to add only up to 3 non-Zoho apps. Prerequisites Permissions required to perform this action: Add apps Assign apps Add bookmarked custom apps: Sign in to Zoho Directory , then click Admin Panel in the left menu. ...
Add associated custom app
General Info: The Free plan allows you to add only up to 3 non-Zoho apps. Prerequisites Permissions required to perform this action: Add apps Assign apps Add associated custom app: Sign in to Zoho Directory , then click Admin Panel in the left menu. ...