How does OpenId Connect work ?

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol.

It specifies an extensible suite for client and end-user identity interaction that allows all types of clients to request and receive information about authenticated sessions and end-users as well as providing access to backend APIs using OAuth 2.0 tokens.

Here’s a high-level overview of how OpenID Connect works:

1. The user attempts to log in to a relying party (RP) — this is the web application or service that they want to access.
2. The RP redirects the user to an OpenID Connect provider (OP) — this is the IdP that the user has an account with. The RP includes some information in the redirect URL, including its own client ID, a redirect URI, and a request for authentication.
3. The OP authenticates the user — this can involve prompting the user to enter their username and password, or using some other form of authentication like multi-factor authentication or biometrics.
4. The OP generates an ID token — this is a JSON Web Token (JWT) that contains information about the user, such as their username, email address, and a unique identifier for the user.
5. The OP redirects the user back to the RP — the ID token is included in the redirect URL.
6. The RP validates the ID token — it checks that the token was issued by a trusted OP, that it hasn’t expired, and that it contains the information that the RP needs to authenticate the user.
7. The RP grants the user access — if the ID token is valid, the RP grants the user access to the application or service.

OpenID Connect allows users to authenticate themselves to web applications and services using their existing accounts from other identity providers. The protocol is based on OAuth 2.0, and involves redirecting the user to an OpenID Connect provider for authentication, generating an ID token that contains information about the user, and redirecting the user back to the relying party with the ID token for validation and access grant.