← Back to glossary

OpenID Connect (OIDC)

networking PHP 7.0+ Intermediate

Also Known As

OIDC OpenID SSO identity provider

TL;DR

An identity layer on top of OAuth 2.0 — while OAuth 2.0 handles authorisation (access to resources), OIDC adds authentication (who the user is) via the ID token.

Explanation

OpenID Connect adds to OAuth 2.0: an ID token (JWT containing user identity claims — sub, name, email, picture), a UserInfo endpoint (fetch additional claims), and a discovery document (/.well-known/openid-configuration lists all endpoints). The ID token is for the client application (to know who logged in); the access token is for calling APIs. Flow: same as OAuth 2.0 authorization_code flow but with openid scope added. PHP libraries: league/oauth2-client, thephpleague/oauth2-google, lcobucci/jwt for token validation.

Common Misconception

✗ OAuth 2.0 and OpenID Connect are the same — OAuth 2.0 is an authorisation framework (access tokens for APIs); OIDC adds authentication (identity tokens telling you who the user is). Using OAuth alone doesn't tell you who is logged in.

Why It Matters

Many PHP apps implement 'Login with Google' using OAuth 2.0 access tokens to identify users — this is insecure; the access token is opaque and not guaranteed to identify who is logged in. OIDC's ID token is the correct mechanism.

Common Mistakes

Using the OAuth access token to identify the user — access tokens are for calling APIs, not authentication.
Not validating the ID token signature — anyone can craft a JWT without signature validation.
Not checking the aud (audience) claim — ID tokens from other clients can be replayed.
Not verifying the nonce — prevents ID token replay attacks.

Code Examples

✗ Vulnerable

// Using access token for identity — wrong:
$accessToken = $oauth->getAccessToken('authorization_code', ['code' => $_GET['code']]);
// Access token is opaque — you don't know who this user is from the token alone
$user = $googleApi->getUser($accessToken->getToken()); // Extra API call needed
// Token may belong to any Google user

✓ Fixed

// OIDC — ID token contains verified identity:
$provider = new Google(['clientId' => ..., 'redirectUri' => ...]);
$tokens = $provider->getAccessToken('authorization_code', [
    'code' => $_GET['code'],
    'scope' => 'openid email profile',
]);

// ID token: JWT with signed identity claims
$idToken = $tokens->getValues()['id_token'];
$claims  = $jwtValidator->validate($idToken, [
    'iss' => 'https://accounts.google.com',
    'aud' => CLIENT_ID,
    'nonce' => $_SESSION['oauth_nonce'],
]);
$userId = $claims['sub']; // Stable user identifier

References

↗ https://openid.net/specs/openid-connect-core-1_0.html

Tags

Added 16 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

Amazonbot 6 Perplexity 6 Ahrefs 2 SEMrush 2 Google 1

Also referenced

JWT Deep Dive 31 Two-Factor Authentication (2FA) 27 Session Fixation 21 OAuth 2.0 18

How they use it

crawler 17

Related categories

security 4k networking 491 cryptography 409

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: High

⚡ Quick Fix

Use OpenID Connect (OIDC) when you need identity — it adds an ID token to OAuth2; parse the ID token claims for user identity rather than calling the userinfo endpoint on every request

📦 Applies To

PHP 7.0+ web api

🔗 Prerequisites

OAuth 2.0 JWT Deep Dive PHP Session

🔍 Detection Hints

Using OAuth2 access token to identify users; no ID token parsing; calling userinfo endpoint on every request instead of caching claims

Auto-detectable: ✗ No semgrep

⚠ Related Problems