OIDC Overview

OpenID Connect (OIDC) is a modern authentication protocol built on top of OAuth 2.0. It allows applications to verify a user’s identity using an authorization server, enabling secure, standards-based authentication. OIDC is widely supported and enables features such as single sign-on (SSO), identity verification, and secure token handling.

Authentication is foundational to application security. OIDC simplifies and secures this process by offering a well-defined framework that reduces implementation errors, supports user privacy, and integrates smoothly with a wide range of identity providers.

With OIDC, your application can:

• Authenticate users securely using authorization flows

• Enable SSO across multiple applications

• Verify and manage user identity consistently

• Protect sensitive operations using token-based access control

OIDC operates by establishing a trust relationship between:

• Client (your application)

• Authorization Server (Next Identity)

• End User (the person signing in)

When a user attempts to authenticate, the client application redirects them to the authorization server. Upon successful authentication, the server sends an ID token (along with optional access and refresh tokens) back to the application. This token contains verified identity claims about the user.

Next Identity supports standard OIDC endpoints and flows, including:

• Authorization Code Flow (recommended)

• PKCE (Proof Key for Code Exchange) for public clients

• Token and UserInfo endpoints for retrieving identity details

Each environment has one or more client ID. This ID identifies your application and configurations to the authorization server and must be included in OIDC requests.

• Default settings apply at the property level.

• Specific clients (by client ID) may override defaults.

Next Identity supports two types of clients:

• Public Clients — Cannot securely store secrets (e.g., browser or mobile apps). These use PKCE for security.

• Confidential Clients — Can securely store secrets (e.g., backend servers). These use a client secret for authentication.

The client secret acts like a password and is used with confidential clients only. It is required for server-to-server requests and for using the /token endpoint in backend integrations.

Security note:

• Never share client secrets via email, chat, or tickets.

• If a secret is exposed, it must be rotated immediately.

• Treat this credential with the same sensitivity as a user password.

This is the endpoint where users are sent after authentication is complete. It must be explicitly whitelisted by your application using the client settings in console.

• Must include full URL path (wildcards are not supported)

• Used to receive authorization codes and tokens

• Should include proper state handling for security

The state parameter is a required anti-forgery token used to maintain request integrity. Your application must:

• Generate a unique state value for each OIDC request

• Send this value with the request to Next Identity

• Validate the returned value upon redirect

This protects against CSRF (Cross-Site Request Forgery) and ensures continuity between request and response.

• Implementing secure login for web and mobile applications

• Enabling SSO across customer-facing services

• Retrieving verified user profile information using ID tokens

• Protecting backend resources with scoped access tokens

• Use PKCE with public clients to enhance security

• Store client secrets securely, and rotate them if exposed

• Whitelist only trusted redirect URIs

• Always generate and validate the state parameter

• Work with the Next Identity team to configure client settings and ensure appropriate scoping