OpenID Connect

About OpenID Connect

OpenID Connect (OIDC) is the new emerging standard for single sign-on and identity provision on the internet. This section provides a quick introduction to the OIDC and for more a more in-depth description see Specifications & Developer information.

OpenID Connect VS OAuth 2.0

OIDC is authentication built on top of OAuth 2.0 and implements authentication as an extension to the OAuth 2.0 authorization process. While OAuth defines no specific token format, no common set of scopes for the access token, and does not address how a protected resource validates an access token, OpenID Connect does.

Authentication flows

A flow is the process starting from the users authentication requests for accessing a resource, to when the user gets authenticated and obtains the token to access the resource. The flows also determine how the ID Token and Access Token are returned to the client. OpenID Connect defines three types of flows:

For detailed specification of these flows, check out OpenId authentication specs.


Unit4 Identity Services (U4IDS) supports not only the three flows defined by OpenID Connect, but also two more flows defined by OAuth 2.0: the client credential flow, and the custom flow. We have a page dedicated to all the different kind of flows and their specifications. We recommend that you use Authorization code combined with Proof Key for Code Exchange (PKCE) to replace other OpenID Connect flows.


Token types

For OpenId Connect there are three different token types.

Token formats

A token can appear in different formats. In OpenId Connect it is returned to the client as a JSON Web Token format. In other protocols, such as WS-Federation and SAML-P, SAML assertions is used as the format.


OAuth defines Scopes which are like permissions or delegated rights that the Resource Owner wishes the client to be able to do on their behalf. The client may request certain rights, but the user may only grant some of them or allow others that are not even requested.


Authorization endpoint

Authorization endpoint, also referred to as Authentication Endpoint performs authentication of the end user. This is done by sending the User Agent to the Authorization Server's Authorization Endpoint for Authentication and Authorization, using request parameters defined by OAuth 2.0 and additional parameters and parameter values defined by OpenID Connect.

Token endpoint

Used to programmatically request or refresh tokens (authorization code flow, hybrid flow, resource owner password credential flow, client credentials flow and custom grant types).

Discovery endpoints

OpenID Connect offers discovery endpoints. It discovers the End-User's OpenID Provider and obtains information needed to interact with it, including its OAuth 2.0 endpoint locations. See OpenID Connect discovery and Client metadata for more details.

Metadata endpoint

/.well-known/openid-configuration endpoints

jwks endpoint

OPTIONAL. URL for the Client's JSON Web Key Set JWK document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client.