The Ultimate Guide to OIDC providers (or building your own)

OpenID Connect (OIDC) is a widely used SSO protocol that builds on OAuth 2.0 by adding an identity layer. This allows clients to authenticate users through a trusted authorization server and access basic profile information.

OIDC providers play a critical role in this process. They implement the OIDC protocol and authenticate users on behalf of the connected applications.

In this article, we’ll discuss what exactly an OIDC provider is and why you should use one, show you how to connect to an OIDC provider, and then walk you through creating your own OIDC provider. 

What is an OIDC provider?

An OIDC provider is a service that manages user authentication and identity verification for client applications using the OpenID Connect protocol. 

Some of the key functions of OIDC providers are:

• Authentication: The OIDC provider confirms the user's identity. This can be through a login form where users submit their details, passkeys, security tokens, or other authentication methods.
• Authorization: After authentication, the provider determines which resources the user can access.
• Token issuance: The OIDC provider issues tokens after successful authentication. The primary token is the ID Token, which is a JSON Web Token (JWT) containing the user's identity information. It may also issue an access token, which an app can use to access other protected resources on behalf of the user.

Why use an OIDC provider?

• Security: OIDC providers specialize in identity and access management. They can afford to have entire teams of security experts who stay current with best practices and the latest threats.
  
• Simplicity and speed: They provide pre-built solutions, SDKs, and APIs that seamlessly integrate into your existing systems, taking the heavy lifting of maintenance and updates off your shoulders.
  
• Scale as you grow: OIDC providers are built to accommodate large volumes of users and authentication requests. Whether you're experiencing rapid growth or sudden spikes in usage, these providers are equipped to dynamically adjust to increased demand without compromising performance.
• Compliance: OIDC providers ensure that authentication practices align with various privacy laws and security standards, reducing the regulatory burden on you. They also log and monitor user activity and produce detailed audit trails of user authentication and access events vital for compliance.

Who are the leading public OIDC providers?

• Google (Google Identity Platform)
• Microsoft (Azure Active Directory)
• Apple (Sign in with Apple)
• Facebook (Facebook Login)
• GitHub (GitHub OAuth)
• Okta
• Amazon Web Services (AWS Cognito)

How do you connect to an OIDC provider?

Connecting to an OIDC provider generally includes setting up a client with the OIDC provider, handling authentication requests, and managing tokens for user sessions. 

Register your application with an OIDC provider

This typically involves providing your application's name and the type of application (web, mobile, etc.) and setting the redirect URIs that the OIDC provider will send users back to after authentication.

After registration, the provider will issue client credentials, including a client ID and a client secret. You will use these credentials to identify your application to the provider.

Choose the OIDC Flow

The OIDC flow provides several flows, including the Authorization Code Flow, the Implicit Flow (not recommended due to security reasons), and the Hybrid Flow. Your choice of flow will depend on your security requirements and the type of applications. 

For example, you should use the Authorization Code Flow for server-side applications — it’s more secure.

Send the authentication request to the OIDC provider

When users attempt to authenticate, redirect them to the OIDC provider's authorization endpoint. 

The request should include parameters like client_id, response_type (this will be code for the authorization code flow), scope (e.g., openid to indicate you’re authenticating using the OIDC protocol), and redirect_uri (where the OIDC provider will redirect the user after authenticating them). Ensure the redirect URI matches the one you configured while registering your app.

Handle the authentication response

After the user logs in, the OIDC provider redirects the user to your application via the specified redirect_uri with an authorization code (if using the Authorization Code Flow) or tokens (if using Implicit Flow).

If using the Authorization Code Flow, make a server-side request to the OIDC provider’s token endpoint to exchange the authorization code for tokens (an ID token and possibly an access token).

Validate the ID token

Validate the ID Token to ensure it was actually issued by the trusted OIDC provider and intended for your application. This involves checking the signature, issuer, audience, and expiry, among other claims.

Establish a user session

 Use the information in the ID Token to establish a session for the user in your app. Optionally, use the access token to retrieve additional user information from the OIDC provider’s UserInfo endpoint if necessary.

Here’s a brief example of how you might set up a connection to Google’s OIDC provider using the Authorization Code Flow:

• Register your application in the Google API Console to obtain the client ID and client secret.
• Redirect users to Google’s authorization endpoint with the necessary parameters.
• Handle the redirect from Google with the authorization code.
• Exchange the authorization code for tokens at Google's token endpoint.
• Validate the ID Token and establish a session based on the user's identity.

Each OIDC provider will have documentation that provides URLs for their endpoints and additional parameters or features they support. You should review it before you build the connection.

How to build your own OIDC provider

Here’s a high-level guide on how to approach building your own OIDC provider:

Understand the OIDC spec

Familiarize yourself with the OIDC specification, including core concepts such as ID tokens, access tokens, user info endpoint, scopes, claims, and various authentication flows (Authorization Code, Implicit, Hybrid). 

Manage client registrations

Set up a system to manage client registrations, including handling client credentials and configuration settings. 

Many programming languages offer packages or libraries that simplify the complexities associated with OIDC. For instance, the node-oidc-provider npm package can manage token generation and handle different OAuth 2.0 grant types.

Add user authentication

Add logic to handle user authentication and authorization requests. This should include validating these requests and generating the appropriate responses according to the OIDC flow.

Manage tokens

Code the logic for issuing ID and access tokens, with necessary claims based on the requested scopes. Consider setting up a user info endpoint to provide claims about the authenticated user that are not included in the ID token. Ensure you validate tokens received in requests to ensure they have not been tampered with.

Frequently asked questions

Is Okta an OIDC provider?

Okta acts as an OIDC provider, meaning it can handle user authentication and manage identity verification using the OpenID Connect protocol.

What’s the difference between a SAML provider and an OIDC provider?

SAML providers authenticate users via the Security Assertion Markup Language (SAML), an XML-based framework that allows identity providers (IdPs) to pass authorization credentials to service providers (SPs). It’s typically used in corporate environments where Single Sign-On (SSO) is needed across multiple internal and external applications. 

Examples include Okta’s and OneLogin’s SAML services.

OIDC providers use the OIDC protocol to authenticate users by providing JSON-based tokens that carry identity information (ID Tokens).

They are suited for modern application architectures, such as mobile apps, web apps, single-page applications (SPAs), and apps that require social logins.  

Popular OIDC providers include Google, Microsoft, and GitHub.

Read more: OIDC vs SAML: Key Differences and Which to Use

What’s the difference between OIDC and OAuth?

OAuth 2.0 is an authorization framework that lets apps access resources on users' behalf without revealing their login credentials. OIDC extends OAuth by adding a layer of identity verification — not only does it let apps get the necessary permissions and tells the app who a user is.

Read more: OIDC vs OAuth: Understanding the key differences

Next steps

Need to connect to multiple OIDC providers within minutes? 

With WorkOS, you can easily link up with major providers like Microsoft, GitHub, and Google using just one API. Plus, if you need to integrate with SAML providers, you can do that with the same API! 

• Get started fast: With SDKs in every popular language, easy-to-follow documentation, and Slack-based support, you can implement SSO in minutes rather than weeks.
• Support every protocol: With OAuth 2.0 integrations to popular providers like Google and Microsoft, compatibility with every major IdP, and full support for custom SAML/OIDC connections, WorkOS can support any enterprise customer out of the box.
• Avoid the back-and-forth: WorkOS’s Admin Portal takes the pain out of onboarding your customers’ IT teams and configuring your app to work with their identity provider.
• Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard - whether they bring 10 or 10,000 SSO users to your app.

Sign up for WorkOS today, and start selling to enterprise customers tomorrow.