Script Valley
JWT & Session Auth: Deep Dive
OAuth 2.0 and Third-Party AuthLesson 4.3

what OpenID Connect adds on top of OAuth 2.0

OIDC vs OAuth 2.0, ID token, UserInfo endpoint, OIDC scopes, JWT ID token structure, nonce parameter, profile claims

OpenID Connect on Top of OAuth 2.0

OIDC vs OAuth

OAuth 2.0 handles authorization — it tells you an access token grants access to certain resources. It says nothing about who the user is. OpenID Connect (OIDC) is an identity layer built on OAuth 2.0 that adds authentication.

OIDC adds two things:

  1. ID Token: A JWT returned alongside the access token. It contains identity claims — user ID, email, name, when they authenticated. This is the authentication assertion.
  2. UserInfo endpoint: An OAuth-protected endpoint returning additional profile claims when called with the access token.

The OIDC-specific scope is openid. Adding profile and email scopes includes name and email claims in the ID token.

// ID token payload example
{
  "iss": "https://accounts.google.com",
  "sub": "116114201827434567890",  // stable user identifier
  "email": "user@example.com",
  "name": "Jane Doe",
  "iat": 1700000000,
  "exp": 1700003600,
  "nonce": "abc123"  // ties token to this specific auth request
}

The nonce claim binds the ID token to a specific authorization request, preventing replay attacks. Always verify the nonce matches what you sent.

When someone says "log in with Google" and you receive a user identity — that is OIDC, not raw OAuth.

Up next

handling OAuth access tokens and scopes in your backend

Sign in to track progress