OpenID Connect (OIDC) Cheat Sheet


OIDC is an authentication protocol. It is usually used to verify user identity via a 3rd party, e.g. use your Google / Facebook account to log into a ride hailing service.


  • Client = the server that requests authentication
  • Provider = the server that does authentication
    • Endpoints = different URLs at the Provider to provide different services
      • Authorization Endpoint = provides authorization code, used in implicit flow (see below)
      • Token Endpoint = exchanges authorization codes for tokens
  • Token = a piece of data that contains user identity
    • JWT = a token consists of a JSON object and a signature, serialized with base64 encoding
  • Authorization Code = a temporary code used to exchange token

Authentication Flow

Implicit Flow

  • CLIENT directly send credentials to PROVIDER
  • PROVIDER sends back TOKEN to CLIENT

Implicit flow is used for scenarios where there are no back-end server. User gets authenticated directly from the front-end (usually the browser).

Normal Flow

  • FRONT-END redirects user to PROVIDER login page
  • USER submits credentials
  • PROVIDER confirms consents of user
  • PROVIDER redirects user to preset URL with AUTHORIZATION CODE, thus BACK-END gains the code
  • BACK-END uses the code to get TOKEN from PROVIDER
See the source image

This is the common scenario where we see a 3rd party login page.

Authorization code is used to prevent front-end from gaining access to the token. Authorization code is opaque and may only used by back-end to get token. Token is stored at back-end.