_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

OpenID Connect — Authentication on Top of OAuth 2.0

08. 02. 2023 Updated: 27. 03. 2026 1 min read intermediate
This article was published in 2023. Some information may be outdated.

OAuth 2.0 handles authorization — who can access which resources. OIDC (OpenID Connect) adds authentication — who the user is. The result is an ID Token with user information in JWT format. OIDC is today’s standard for Single Sign-On — supported by Google, Microsoft, Apple, Okta, Keycloak, and dozens of other providers. For modern web and mobile applications, it is the recommended authentication method.

ID Token

{
  "iss": "https://auth.example.com",
  "sub": "user-123",
  "aud": "myapp",
  "exp": 1706000000,
  "email": "[email protected]",
  "name": "Jan Novak"
}

The ID Token is a JWT signed by the provider. It contains user information (claims) — who issued the token (iss), for whom (aud), when it expires (exp), and the user identifier (sub). The application must validate the signature using the provider’s JWKS keys, verify iss, aud, exp, and nonce (protection against replay attacks).

Discovery

# GET https://auth.example.com/.well-known/openid-configuration
{
  "issuer": "https://auth.example.com",
  "authorization_endpoint": "https://auth.example.com/authorize",
  "token_endpoint": "https://auth.example.com/token",
  "jwks_uri": "https://auth.example.com/.well-known/jwks.json"
}

The discovery endpoint allows clients to automatically discover all provider endpoints and parameters. This means you only need to provide one URL (issuer) and the library configures itself. This eliminates errors from manual configuration and simplifies migration between providers.

FastAPI Implementation

from authlib.integrations.starlette_client import OAuth

oauth = OAuth()
oauth.register(
    name='google',
    server_metadata_url='https://accounts.google.com/.well-known/openid-configuration',
    client_id='your-id',
    client_secret='your-secret',
    client_kwargs={'scope': 'openid email profile'}
)

Most frameworks have OIDC libraries that automate the entire flow — redirect to provider, exchange authorization code for tokens, and ID Token validation. For enterprise applications, consider running your own Keycloak or Zitadel as an identity provider with full control over user data.

Key Takeaway

OIDC = OAuth 2.0 + identity. Always validate the ID Token (iss, aud, exp, nonce). Use the discovery endpoint for automatic configuration. For new projects, use OIDC/OAuth 2.0 instead of custom authentication.

securityoidcoauthautentizace
Share:

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

More know-how

The Complete Guide to OAuth/OIDC

OAuth 2.0 a OpenID Connect — flows, tokeny, best practices.

OAuth 2.0 and JWT — modern authentication for microservices

How to implement OAuth 2.0 and JSON Web Tokens to secure REST APIs and microservices.

Brute Force Prevention

How to protect login, API, and forms against brute force attacks.

JWT Best Practices — JSON Web Tokens Done Right

Secure use of JWT. Signatures, expiration, refresh tokens, common mistakes.