STANDARD

OpenID Connect (OIDC) — Primer

OpenID Connect is an identity layer on top of OAuth 2.0 that issues ID Tokens (JWT) and defines discovery and UserInfo for federated login.

Visual representation of OpenID Connect (OIDC) standard

← All standards

Why it matters

Standards reduce risk and vendor lock‑in. We implement this spec across our Studios and runtime so policy is portable.

Where it’s enforced

Gateway: pre‑execution gating (plan/schema pins, params/egress)
Shield: inline budgets/stream caps/content checks
PDP: decisions with constraints/obligations/TTL
IdP: passports, token exchange, consent/DPoP

How it works (high level)

OIDC adds an ID Token (JWT) with claims like iss, sub, aud, exp, iat, and (for web flows) nonce. UserInfo is fetched with a Bearer token (RFC 6750). Use discovery to locate endpoints and JWKS.

References

OpenID Connect Core 1.0

← OAuth 2.0

All standards

pkce →