OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0. It adds a standardized way to authenticate a user — to know who signed in, not just what they authorized.
What OIDC adds to OAuth 2.0
- An ID token — a signed JWT with claims about the user (
sub,email,name, etc.) - A standardized
/userinfoendpoint for fetching profile data - Discovery via
/.well-known/openid-configuration - Standard scopes (
openid,profile,email) that every provider implements consistently
When someone says “we use OAuth for login,” they almost always mean OIDC.
Why it exists
OAuth 2.0 alone doesn’t tell you who the user is. You can get an access token and call an API with it, but there’s no standard way to ask “whose token is this?” — providers did it differently, SDKs disagreed, and the cost was real interoperability problems.
OIDC fixed that. Every OIDC-compliant provider issues identity claims in the same shape, so a correctly written client can sign in users from Google, Microsoft, Okta, or anywhere else without per-provider hacks.
See the full auth glossary for related terms.