Question 1

What is OpenID Connect (OIDC)?

Accepted Answer

OpenID Connect is an identity layer built on top of OAuth 2.0. While OAuth 2.0 handles authorization (granting access to resources), OIDC handles authentication (verifying who the user is). It returns an ID Token (a JWT) in addition to an access token.

Question 2

What is the difference between OIDC and OAuth 2.0?

Accepted Answer

OAuth 2.0 is an authorization framework for granting access to APIs. OIDC extends OAuth 2.0 with a standardized identity layer — it specifies how to get user information, defines a UserInfo endpoint, and provides the ID Token for SSO.

Question 3

What are common OIDC providers?

Accepted Answer

Popular OIDC providers include: Google (accounts.google.com), Microsoft Entra ID (login.microsoftonline.com), Auth0, Okta, Keycloak, AWS Cognito, and GitHub (supports OAuth but not full OIDC).

Question 4

What scopes should I request?

Accepted Answer

openid is required for OIDC. profile returns basic user info (name, picture). email returns the user's email. Additional scopes depend on the provider. Requesting minimal scopes is a security best practice.

Question 5

What is nonce used for?

Accepted Answer

The nonce is a random value included in the authorization request and embedded in the ID Token. Your application verifies the nonce matches to prevent replay attacks — an attacker cannot reuse an ID Token from a previous session.

Question 6

How do I debug an OpenID Connect token?

Accepted Answer

Paste your ID token (a JWT) into the debugger above. OIDC ID tokens follow JWT format — the decoder extracts standard OIDC claims like sub (user ID), email, name, iss (issuer), aud (client ID), and exp (expiry). To inspect access tokens and refresh tokens from OAuth 2.0 flows, use DevDecode's JWT Decoder or OAuth Token Inspector.

Question 7

What is the difference between OpenID Connect and OAuth 2.0?

Accepted Answer

OAuth 2.0 is an authorization framework — it grants access to resources via access tokens. OpenID Connect (OIDC) adds an identity layer on top of OAuth 2.0 — it issues ID tokens (JWTs) that contain user identity claims. Use OIDC when you need to know who the user is; use OAuth 2.0 when you need delegated API access.

OIDC Debugger — OpenID Connect Authorization URL Builder

Frequently Asked Questions

OpenID Connect Authorization Flow

Related Tools

PKCE Generator

JWT Decoder

OAuth Token Inspector

API Key Generator