OpenID Connect supports many of the same flows as OAuth 2.0. At the end of the OpenID Connect process, the client ends up with an "ID Token", which contains information about the user who signed in. This token is encoded and signed, and the client is expected to parse it directly. When a client uses an OpenID Connect flow, it can request an access token in addition to an ID token.

In this example, we'll cover the OpenID Connect Authorization Code flow and request an ID token as well as an access token.

Before authorization begins, it first generates a random string to use for the state parameter. The client will need to store this to be used in the next step.

/authorize?
  response_type=code
  &client_id=
  &redirect_uri=/oidc.html
  &scope=openid+profile+email+photos
  &state=
  &nonce=

For this demo, we've gone ahead and generated random state and nonce parameters (shown above) and saved them in a cookie.

Click "Authorize" below to be taken to the authorization server. You'll need to enter the username and password that was generated for you.

The user was redirected back to the client, and you'll notice a few additional query parameters in the URL:

?state=&code=

You need to first verify that the state parameter matches the value stored in this user's session so that you protect against CSRF attacks.

Depending on how you've stored the state parameter (in a cookie, session, or some other way), verify that it matches the state that you originally included in step 1. Previously, we had stored the state in a cookie for this demo.

Does the state stored by the client () match the state in the redirect ()?

Now you're ready to exchange the authorization code for an access token.

The client builds a POST request to the token endpoint with the following parameters:

POST /token

Note that the client's credentials are included in the POST body in this example. Other authorization servers may require that the credentials are sent as a HTTP Basic Authentication header.

Here's the response from the token endpoint!

Your application can use the access token to make API requests on behalf of the user.