OpenID Connect is a standardized identity layer on top of OAuth. It is specified by the OpenID Group. By design, OAuth does not expose the identity of the end user towards the API consumer. Only an access token is provided to the API consumer, which is nothing more than an identifier – a random string – to the API consumer. The access rights are not encoded into the access token but only associated with this identifier.

OpenID Connect extends OAuth by an additional token, the ID token, and by an additional API, the userinfo API. The userinfo API is protected by OAuth and provides additional identity information about the user. The ID token holds identity information, such as first name, last name and email address. This information is actually contained in the ID token, and the token also contains a cryptographic signature of the OpenID Connect server.

The ID token is formatted according to JSON Web Token standard (JWT), defined in IETF RFC 7519. JWT can be used to represent and transfer claims in a secure manner. Claims are represented as JSON data structures. The claims object can be signed according to JSON Web Signature (JWS) to ensure integrity or encrypted according to JSON Web Encryption (JWE) to ensure privacy.

Check out the OpenID Connect Book for more details.