OpenId - authenticate users with single-sign on

“OpenID Connect is an authentication standard built on top of OAuth 2.0. It adds an additional token called an ID token. OpenID Connect also standardizes areas that OAuth 2.0 leaves up to choice, such as scopes, endpoint discovery, and dynamic registration of clients. Okta is OpenID Certified”definition from okta developer site

OpenID provider, end user, relying party and ID token

Just to clarify the terms:

• OpenID provider — The authorization server that issues the ID token. (Okta for example).
• end user — Whose information is contained in the ID token
• claim is a piece of information about the end user
• relying party — The client application that requests the ID token
• ID token - is issued by the OpenID Provider and contains information about the end user in the form of claims

OpenID Connect flow

The OpenID Connect flow looks the same as OAuth. The only differences are, in the initial request, a specific scope of openId is used, and in the final exchange the Client receives both an Access Token and an ID Token.

SAML2 vs JWT part 3 has good diagram to illustrate the flow. I recommend to read other parts of the blog (links below)

Couple good references:

• OAuth 2.0 and OpenID Connect Overview
• OpenId
• Creating An OpenID Connect System With Angular 8 And IdentityServer4
• SAML2 vs JWT: Understanding OpenID Connect Part 1
• SAML2 vs JWT: Understanding OpenID Connect Part 2
• SAML2 vs JWT: Understanding OpenID Connect Part 3