OAuth and OIDC Basics
Overview
OAuth 2.0, OAuth 2.1, referred to here as OAuth (Open Authorization), and OIDC (OpenID Connect) are open standards for authorization and authentication. They are the foundation for secure access across APIs, web, and mobile apps — enabling delegated and passwordless access.
OAuth Authorization Framework
OAuth 2.0 lets a user (resource owner) grant limited access to their resources (like files or APIs) to a client application, without sharing passwords.
Example: Allowing Slack to read your Google Calendar events without giving it your Google password.
OAuth 2.1 is an evolution of OAuth 2.0 that simplifies and secures the protocol by deprecating insecure features and recommending best practices.
The references to OAuth apply to OAuth 2.1 but can also be used with OAuth 2.0.
Key Roles
| Role | Description |
|---|---|
| Resource Owner | The user who owns the data or resource. |
| Client | The app requesting access on behalf of the user. |
| Authorization Server | Issues tokens after authenticating the user and client. IDaaS is the Authorization Server. |
| Resource Server | API or service that validates tokens and provides data. IDaaS issues tokens used by the Resource Server |
Grant Types
Grants describe how clients obtain tokens.
| Grant Type | Description | Common Use Case |
|---|---|---|
| Authorization Code | Exchanges an authorization code for tokens after user consent. | Web and backend apps (secure, server-side). |
| Authorization Code with PKCE (Proof Key for Code Exchange) | Variant of Authorization Code for public clients (no client secret). | Mobile apps and SPAs. |
| Client Credentials | Direct app-to-app authorization without user interaction. | Service APIs, microservices, M2M. |
| Refresh Token | Obtains new access tokens without user re-login. | Long-lived sessions. |
| Device Code | Lets devices without browsers perform user login. | TVs, IoT devices. |
| JWT IDaaS | An API-based variant of Authorization Code. | Web and backend apps, Mobile apps, and SPAs. |
Flow Types
Different app architectures use specific OAuth flows.
| Flow Type | Description | Used By |
|---|---|---|
| Authorization Code Flow | Client redirects user to Authorization Server → gets code → exchanges for tokens. | Web apps (secure backend). |
| Authorization Code Flow with PKCE | Adds PKCE challenge/verifier to protect public clients from interception. | Mobile and SPA apps. |
| Implicit Flow (OAuth 2.0 only) | Tokens returned directly via browser redirect (no code exchange). | Deprecated, formerly SPAs. |
| Client Credentials Flow | No user — client authenticates directly for API access. | Daemons, backend services. |
| Device Authorization Flow | User logs in on a separate device to authorize. | Smart TVs, consoles, IoT. |
| JWT IDaaS Flow | API-based variant of Authorization Code providing IDaaS Authentication API capability. | Consumer SSO, complex OIDC apps. |
OIDC Authentication Layer
OIDC extends OAuth to add identity authentication.
While OAuth grants permission to resources, OIDC tells the client application who the user is.
Key Additions
| OIDC Concept | Description |
|---|---|
| ID Token | A JWT that contains verified user identity info (e.g., sub, email, name). |
| UserInfo Endpoint | REST endpoint returning user claims. |
| Scopes | Additions like openid, profile, email, etc. |
| Claims | Specific user attributes included in tokens. |
Flow Types
| OIDC Flow | Based On | Description |
|---|---|---|
| Authorization Code Flow | OAuth Code Flow | Standard web app login. Server exchanges code for id_token + access_token. |
| Authorization Code Flow with PKCE | Authorization Code + PKCE | Secure for mobile/native apps (no client secret needed). |
| Implicit Flow | OAuth Implicit Flow | Returns tokens directly via redirect (legacy). |
| Authenticated Implicit Flow | OAuth Implicit Flow | Returns tokens directly via redirect for authenticated requests such as Microsoft EAM (External Authentication Methods). |
| JWT IDaaS Flow | OAuth JWT IDaaS Flow | API-based login. Provides IDaaS Authentication API capability. |
OAuth/OIDC Authentication Layer
OIDC can also be combined with OAuth to issue id tokens for clients applications and access tokens for resource servers. The id token tells the client application who the user is and the access token grants permission to resources.
Key Additions
| OIDC Concept | Description |
|---|---|
| UserInfo Endpoint | Not applicable. |
| Scopes | OIDC based scopes can be associated with OAuth access tokens as well. |
| Claims | OIDC based claims can be added to access tokens as well. |
Flow Types
Same as OAuth Flow Types.
Examples Flows
OAuth Authorization Code Flow
- User signs in → redirected to the Authorization Server.
- Authorization Server authenticates (passwordless, passkey, etc.).
- User grants consent to the client.
- Client receives an authorization code.
- Client exchanges it for an Access Token.
- Client uses Access Token to access resource server APIs.
OIDC Authorization Code Flow
- User signs in → redirected to the Authorization Server.
- Authorization Server authenticates (passwordless, passkey, etc.).
- User grants consent to the client.
- Client receives an authorization code.
- Client exchanges it for an Access Token and ID Token.
- Client validates ID Token.
- Client uses Access Token to access UserInfo Endpoint APIs.
OAuth/OIDC Authorization Code Flow
- User signs in → redirected to the Authorization Server.
- Authorization Server authenticates (passwordless, passkey, etc.).
- User grants consent to the client.
- Client receives an authorization code.
- Client exchanges it for an Access Token and ID Token.
- Client validates ID Token.
- Client uses Access Token to access resource server APIs.
Example Response Token Sets
OAuth
{
"access_token": "eyWkr0i3pck...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "def50200a1..."
}
The access token is a JWT token used to access resource server.
OIDC
{
"access_token": "u3pgnmeis03r...",
"id_token": "eyJraWQiOiJ...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "def50200a1..."
}
The access token is a JWT token used to access resource server. The id token is a JWT token used to identify the authenticated user.
OAuth/OIDC
{
"access_token": "eyWkr0i3pck...",
"id_token": "eyJraWQiOiJ...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "def50200a1..."
}
The access token is a JWT token used to access resource server. The id token is a JWT token used to identify the authenticated user.
Example Tokens
OAuth/OIDC ID Token
Header
{
"x5t": "mtMXOuqGEWrLh7YURswUhOPs6CI",
"kid": "200706313",
"typ": "JWT",
"alg": "RS256"
}
Payload
{
"jti": "3bb2e670-f5a5-477c-87e0-5d2841bcaad4",
"nonce": "k3ao4pwi302vsijf",
"sub": "user1",
"iss": "https://example.us.trustedauth.com/api/oidc",
"aud": "fcd612d3-79e6-4702-ba9d-90575125394f",
"iat": 1763664566,
"nbf": 1763664566,
"exp": 1763668166,
"locale": "en",
"tid": "3a4a1be8-3989-42b2-931b-deed82536152",
"auth_time": 1763664558,
"acr": "urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken",
"amr": ["OTP", "otp", "sms", "pop"],
"authenticators": ["NONE:OTP"],
"email": "user.one@example.com",
"given_name": "User",
"family_name": "One",
"name": "User One",
"nickname": "User1",
"groups_unique": ["2e90e388-f368-40e5-ab5a-2cf3c650eaa0", "7aa381e6-6834-4e66-b985-3ced99dad2cf"],
"groups": ["Auditor", "Help Desk"],
"favorite_color": "Blue"
}
OAuth/OIDC Access Token
Header
{
"x5t": "mtMXOuqGEWrLh7YURswUhOPs6CI",
"kid": "200706313",
"typ": "at+JWT",
"alg": "RS256"
}
Payload (lite)
The configuration for this access token has been enabled to include minimal user information and additional authorization server information in the token.
{
"jti": "2e6fc675-8983-413e-b52b-dc1b629f8575",
"sub": "user1",
"iss": "https://example.us.trustedauth.com/api/oidc",
"aud": "https://demo.com/marketplace",
"iat": 1763664566,
"nbf": 1763664566,
"exp": 1763664626,
"cid": "fcd612d3-79e6-4702-ba9d-90575125394f",
"scope": "view:tests view:claims view:flights view:profile view:visits fill:claims post:visits"
}
Payload (full)
note
The configuration for this access token has been enabled to include all user information as well as additional authorization server information in the token.
{
"jti": "2e6fc675-8983-413e-b52b-dc1b629f8575",
"sub": "user1",
"iss": "https://example.us.trustedauth.com/api/oidc",
"aud": "https://demo.com/marketplace",
"iat": 1763664566,
"nbf": 1763664566,
"exp": 1763664626,
"locale": "en",
"tid": "3a4a1be8-3989-42b2-931b-deed82536152",
"cid": "fcd612d3-79e6-4702-ba9d-90575125394f",
"app": "Client Engagement",
"auth_time": 1763664558,
"acr": "urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken",
"amr": ["OTP", "otp", "sms", "pop"],
"authenticators": ["NONE:OTP"],
"scope": "view:tests view:claims view:flights view:profile view:visits fill:claims post:visits",
"email": "user.one@example.com",
"given_name": "User",
"family_name": "One",
"name": "User One",
"nickname": "User1",
"groups_unique": ["2e90e388-f368-40e5-ab5a-2cf3c650eaa0", "7aa381e6-6834-4e66-b985-3ced99dad2cf"],
"groups": ["Auditor", "Help Desk"],
"favorite_color": "Blue"
}
Token Validation
OIDC ID Token
An OIDC client must validate the ID token. Checks must include:
- ✅ Signature (using authorization server’s JWKS keys)
- ✅ Issuer (
iss) matches expected authorization server - ✅ Audience (
aud) contains client ID - ✅ Expiration (
exp) is valid - ✅ Not Before (
nbf) is valid - ✅ Nonce (for replay protection)
- ✅ (If Requested) Authentication Context Reference (
acr) is valid - ✅ (If Requested) Authentication Time (
auth_time) is valid
OAuth Access Token
A resource server or an API gateway protecting a resource server must validate the access token. Checks must include:
- ✅ Signature (using authorization server’s JWKS keys)
- ✅ Issuer (
iss) matches expected authorization server - ✅ Audience (
aud) contains the resource being accessed - ✅ Expiration (
exp) is valid - ✅ Not Before (
nbf) is valid - ✅ Scope (
scope) contain the necessary scope permissions to access the requested resource - ✅ (Optional) Client ID (
cid) is valid
Summary Table
| Concept | OAuth | OIDC | OAuth/OIDC |
|---|---|---|---|
| Purpose | Authorization by Client Applications to Resource Servers | Authentication of users by Client Applications | Authorization and Authentication |
| Tokens | Access and Refresh for resource servers | ID, Access, and Refresh for client applications | ID, Access, and Refresh for client applications; Access and Refresh for resource servers |
| Scopes | api.read, api.write | openid, profile, email | openid, profile, email, api.read, api.write |
| Flows | Code, PKCE, Client Credentials, Device, JWT IDaaS | Code, PKCE, Authn Implicit, JWT IDaaS | Code, PKCE, Client Credentials, Device, JWT IDaaS |
| Output | API Access | Authenticated Identity | API Access and Authenticated Identity |
Best Practices
- Always use Authorization Code with PKCE for mobile/web.
- Avoid Implicit flows.
- Use HTTPS everywhere.
- Validate ID token claims properly.
- Validate Access token claims properly.
- Rotate and expire tokens regularly.
- Use Refresh Tokens securely (bound to client or resource server).