Home Support Authentication and User Management OAuth2 and OIDC Overview

OAuth2 and OIDC Overview

Last updated: December 2025

What Are OAuth2 and OpenID Connect?

If you’re building a web application that needs to authenticate users, you’ve probably heard of OAuth2 and OpenID Connect (OIDC). Let’s break down what these are and why they matter.

OAuth2 – The Authorization Framework

OAuth2 is an industry-standard protocol for authorization. Think of it as a way for your application to get permission to access resources on behalf of a user, without ever seeing the user’s password.

OpenID Connect – Authentication on Top of OAuth2

OpenID Connect (OIDC) builds on OAuth2 to provide authentication. While OAuth2 handles authorization (“Can this app access my data?”), OIDC handles authentication (“Who is this user?”).

OIDC adds:

  • ID Tokens: JWT tokens that contain user identity information
  • UserInfo Endpoint: An API endpoint that returns user profile information
  • Standardized Claims: Common user attributes like email, name, etc.

Why We Use OAuth2 and OIDC

✅ Industry Standards

OAuth2 and OIDC are widely adopted standards (RFC 6749 and OIDC Core 1.0). This means:

  • You can use any compliant client library
  • Your integration will work with our system
  • You’re following security best practices

✅ Security

  • No Password Sharing: Users never give your application their password
  • Token-Based: Short-lived access tokens reduce security risks
  • PKCE Protection: Prevents authorization code interception attacks
  • CSRF Protection: State parameters prevent cross-site request forgery

✅ User Experience

  • Single Sign-On (SSO): Users can authenticate once and access multiple services
  • Consent Management: Users can see and control what permissions they grant
  • Standard Flows: Familiar patterns that users recognize

✅ Flexibility

  • Works with web applications, mobile apps, and server-to-server communication
  • Supports different grant types for different use cases
  • Extensible for future requirements

Our Compliance

We’re proud to be compliant with OAuth2 and OpenID Connect standards:

OAuth2 Compliance

  • Authorization Code Flow (RFC 6749 Section 4.1)
  • PKCE (RFC 7636) – Required for all public clients
  • Token Management – Access tokens, refresh tokens, proper expiry
  • Security Features – State parameter, redirect URI validation, single-use authorization codes
  • Client Authentication – Supports both public and confidential clients

OpenID Connect Compliance

  • Authorization Endpoint with OIDC parameters
  • Token Endpoint returning ID tokens
  • UserInfo Endpoint for user profile information
  • Discovery Document (.well-known/openid-configuration)
  • JWKS Endpoint (.well-known/jwks.json)
  • Standard Claims – sub, email, name, groups, etc.

Recommended Client Libraries

Since we’re standards-compliant, you can use any OAuth2/OIDC compliant client library. Here are some popular, well-maintained options:

JavaScript/TypeScript

oidc-client-ts (Recommended)

npm install oidc-client-ts
  • ✅ Full OIDC support
  • ✅ PKCE support built-in
  • ✅ Token management and refresh
  • ✅ Works in browsers and Node.js
  • GitHub: https://github.com/authts/oidc-client-ts

@azure/msal-browser

npm install @azure/msal-browser
  • ✅ Microsoft-maintained
  • ✅ Excellent TypeScript support
  • ✅ PKCE support
  • ✅ Works with any OIDC provider
  • GitHub: https://github.com/AzureAD/microsoft-authentication-library-for-js

C# / .NET

Microsoft.AspNetCore.Authentication.OpenIdConnect

  • ✅ Built into ASP.NET Core
  • ✅ Full OIDC support
  • ✅ PKCE support
  • ✅ Middleware-based integration
  • Documentation: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/openid-connect

IdentityModel.OidcClient

dotnet add package IdentityModel.OidcClient
  • ✅ Lightweight OIDC client
  • ✅ PKCE support
  • ✅ Works in desktop and console applications
  • GitHub: https://github.com/IdentityModel/IdentityModel.OidcClient

Python

authlib

pip install authlib
  • ✅ Full OAuth2 and OIDC support
  • ✅ PKCE support
  • ✅ Flask and Django integrations available
  • GitHub: https://github.com/lepture/authlib

requests-oauthlib

pip install requests-oauthlib
  • ✅ OAuth2 support
  • ✅ Works with requests library
  • ✅ Good for server-side applications
  • GitHub: https://github.com/requests/requests-oauthlib

Key Concepts

Authorization Code Flow with PKCE

This is the flow we use for web applications. Here’s how it works:

  1. User clicks “Login” in your application
  2. Your app redirects to our authorization endpoint
  3. User authenticates on our system
  4. We redirect back with an authorization code
  5. Your app exchanges the code for tokens (access token, refresh token, ID token)
  6. Your app uses the access token to call our APIs

PKCE (Proof Key for Code Exchange) adds an extra security layer by requiring a code verifier that only your application knows.

Tokens

  • Access Token: Short-lived JWT token (typically 15 minutes) used to authenticate API requests
  • Refresh Token: Long-lived token (typically 30 days) used to get new access tokens
  • ID Token: JWT token containing user identity information (OIDC)

Scopes

Scopes define what permissions your application is requesting:

  • openid – Required for OIDC (enables ID token)
  • profile – Access to user profile information
  • email – Access to user email address

Discovery Endpoint

We provide a discovery endpoint that tells client libraries everything they need to know:

Endpoint Path:

GET /tenant/{tenantId}/v2.0/Auth/.well-known/openid-configuration

Full URL Structure:

{baseUrl}/tenant/{tenantId}/v2.0/Auth/.well-known/openid-configuration

Example:
If your base URL is https://auth.agglestone.com and your tenant ID is 79199f3a-6669-4a21-ac5f-5dec93d90b57, the full discovery endpoint URL would be:

https://auth.agglestone.com/tenant/79199f3a-6669-4a21-ac5f-5dec93d90b57/v2.0/Auth/.well-known/openid-configuration

Important: The discovery endpoint path includes:

  • Base URL (e.g., https://auth.agglestone.com)
  • /tenant/{tenantId} – Your tenant identifier
  • /v2.0/Auth/ – The authentication API prefix (v2.0 is the API version)
  • /.well-known/openid-configuration – The OIDC discovery document path

This endpoint returns:

  • Authorization endpoint URL
  • Token endpoint URL
  • UserInfo endpoint URL
  • Supported scopes, grant types, and more

Most client libraries can automatically discover our configuration using this endpoint!

Next Steps

Now that you understand the concepts, check out: