liminfo

OAuth 2.0 / OIDC Reference

Free reference guide: OAuth 2.0 / OIDC Reference

16 results

About OAuth 2.0 / OIDC Reference

The OAuth 2.0 / OIDC Reference is a searchable guide to modern authentication and authorization protocols. It covers all major authorization flows including Authorization Code Flow, Authorization Code with PKCE for public clients, Client Credentials for machine-to-machine communication, Device Code Flow for input-constrained devices, and the deprecated Implicit Flow with migration guidance.

This reference documents token types (Access Token, Refresh Token, ID Token) with JWT structure examples, token introspection (RFC 7662), and token revocation (RFC 7009). It also covers OIDC standard claims, required ID Token claims, standard scopes (openid, profile, email, offline_access), and essential endpoints including JWKS, Discovery (.well-known/openid-configuration), and UserInfo.

Built for backend developers, security engineers, and DevOps teams implementing OAuth 2.0 and OpenID Connect. All data is processed locally in your browser, with dark mode support across all devices.

Key Features

  • Complete OAuth 2.0 flow reference: Authorization Code, PKCE, Client Credentials, Device Code, and Implicit (deprecated)
  • Token management guide covering Access Tokens, Refresh Tokens, ID Tokens, introspection (RFC 7662), and revocation (RFC 7009)
  • OIDC standard claims and required ID Token claims (iss, sub, aud, exp, iat, nonce) with JSON examples
  • Standard scopes reference: openid, profile, email, address, phone, and offline_access
  • Endpoint documentation for JWKS (.well-known/jwks.json), Discovery (.well-known/openid-configuration), and UserInfo
  • PKCE implementation details with code_verifier generation and SHA-256 challenge computation
  • Refresh Token Rotation best practices and security recommendations
  • Real-world request/response examples for every flow and endpoint

Frequently Asked Questions

What is the difference between OAuth 2.0 and OpenID Connect (OIDC)?

OAuth 2.0 is an authorization framework that grants third-party applications limited access to resources via access tokens. OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that adds authentication by introducing ID Tokens (JWTs containing user identity claims like sub, name, and email). This reference covers both protocols together since they are used in tandem.

When should I use Authorization Code Flow vs. PKCE?

Authorization Code Flow is designed for server-side applications that can securely store a client_secret. PKCE (Proof Key for Code Exchange) extends the Authorization Code Flow for public clients like single-page apps and mobile apps that cannot safely store secrets. PKCE uses a code_verifier and SHA-256 code_challenge to prevent authorization code interception attacks. Modern best practice recommends PKCE for all clients.

What is the Client Credentials Flow used for?

Client Credentials Flow is designed for server-to-server (machine-to-machine) communication where no user is involved. The client authenticates directly with its client_id and client_secret to obtain an access token. Common use cases include microservice-to-microservice API calls, background jobs, and automated systems that need API access without user interaction.

What claims must an ID Token contain?

An OIDC ID Token must contain these required claims: iss (issuer URL), sub (unique user identifier), aud (client ID), exp (expiration time as Unix timestamp), iat (issued-at time), and nonce (replay prevention value sent in the authorization request). Additional standard claims like name, email, and picture are optional and depend on the requested scopes.

How does Token Introspection (RFC 7662) work?

Token Introspection allows a resource server to validate a token by sending a POST request to the authorization server's /introspect endpoint with the token and client credentials. The response includes an "active" field (true/false) and metadata like sub, scope, and exp. This is especially useful for opaque tokens that cannot be validated locally, unlike self-contained JWTs.

What is the OIDC Discovery endpoint?

The Discovery endpoint at /.well-known/openid-configuration returns a JSON document describing the OIDC provider's configuration, including the issuer URL, authorization_endpoint, token_endpoint, userinfo_endpoint, jwks_uri, and supported scopes and response types. Clients use this to automatically configure themselves without hardcoding endpoint URLs.

Why was the Implicit Flow deprecated?

The Implicit Flow was deprecated because it exposes access tokens directly in the URL fragment (redirect_uri#access_token=TOKEN), making them vulnerable to browser history leaks, referrer header leaks, and man-in-the-middle attacks. The recommended alternative is Authorization Code Flow with PKCE, which keeps tokens out of the URL and provides better security for single-page applications.

Is this OAuth 2.0 / OIDC reference free?

Yes, this reference is completely free with no usage limits, no account required, and no software installation needed. All data is processed locally in your browser. It is part of liminfo.com's collection of free online developer and security tools.