OpenID Connect (OIDC)

Status: Scaffold — content in progress

OpenID Connect (OIDC) is an identity layer on top of OAuth 2.0. While OAuth2 handles authorization (can this app access resource X?), OIDC handles authentication (who is this user?).

Key Concepts

Concept	Description
ID Token	JWT containing identity claims about the authenticated user
UserInfo Endpoint	API endpoint that returns additional claims
Discovery Document	`/.well-known/openid-configuration` — lists endpoints and supported features
Claims	Key-value pairs in the ID token: `sub`, `email`, `name`, `iss`, `aud`, `exp`

ID Token Anatomy

{
  "iss": "https://login.microsoftonline.com/{tenantId}/v2.0",
  "sub": "AAAAAAAAAAAAAAAAAAAAAIkzqFVrSaSaFHy9821BiTOE",
  "aud": "6cb04018-a3f5-46a7-b995-940c78f5aef3",
  "exp": 1536361411,
  "iat": 1536274711,
  "name": "John Smith",
  "preferred_username": "jsmith@corp.com",
  "oid": "a1be-...",
  "tid": "72f988bf-..."
}

OIDC Federation Attacks

Attack	Mechanism
Token audience bypass	App accepts tokens with wrong `aud` claim
Issuer confusion	App does not validate `iss` strictly
OIDC federation misconfiguration	Cloud workload allowed to present tokens for any subject

Cross-Links

Topic	Link
OAuth2	oauth2
Entra Overview	entra-overview

Key Concepts​

ID Token Anatomy​

OIDC Federation Attacks​

Cross-Links​

Key Concepts

ID Token Anatomy

OIDC Federation Attacks

Cross-Links