OAuth 2.0 / OpenID Connect authorization Code Grant (Client-centric)

Flow diagram

23986651.png

Additional features of OpenID Connect

OpenID Connect adds an additional token, a signed proof of user authentication, which provides no access rights.

This token is called id token and contains detailed information about the authentication process:

  • User name of the authenticated user
  • Date of user authentication
  • Date when the id token was issued (may differ from the authentication date if the user already had an authenticated session at the authorization endpoint when the OAuth 2.0 process was started)
  • Identifier of the issuer
  • An arbitrary number of custom claims.

This token can be used to distribute proof of user authentication without giving away access rights. Furthermore, OpenID Connect specifies new request parameters which allow the client to have more control over the authentication process. This includes the possibility to give language preferences, force or suppress user interaction and request authentication on old authenticated sessions.