How it works
OpenID Connect (OIDC) is an identity protocol that uses the authentication and authorization components of OAuth2.0 and is widely adopted by identity providers. It's purpose is to give users a single login for multiple sites. OIDC can be used by all sort of client applications, include SPAs, native and mobile apps.
Each time you need to log in to a website using OIDC, you are redirected to your OIDC-compliant provider where you log in, and then taken back to the website. For example, if you chose to sign in to PayPal using your Google account then you used OIDC. Once you successfully authenticate with Google and authorize PayPal to access your information, Google sends information back to PayPal about the user and the authentication performed. This information is returned in a JWT. You'll receive an access token and if requested, an ID token. The same thing can happen with Passage.
The identity provider (e.g. Passage) determines the authentication methods available to users, so we can support any number of options including device biometrics, magic links, and one-time codes. OIDC defines how identity providers and applications interact to establish end user authentication.
A typical login flow will look like this:
User Requests Access: When a user wants to access a protected resource in your client application, they are redirected to the Passage OIDC authentication endpoint.
User Authentication: Passage acts as the OIDC identity provider and authenticates the user based on the settings configured in Passage (e.g. passkeys, one-time codes).
ID Token and Access Token: Upon successful authentication, Passage generates an ID Token and an Access Token as JSON Web Tokens (JWTs). The ID Token contains essential user identity information and is signed by Passage, ensuring its authenticity. The Access Token allows the client application to access resources on behalf of the user, with permissions granted by the IDP.
Additional Resources
Last updated