Before you start reading this document, please make sure to have covered all topics in OAuth 2.0 Concepts.
OpenID Connect works exactly like OAuth2. The primary use case for OpenID Connect is to solve "Login with <Google|Facebook|Hydra>" flows.
To initiate an OpenID Connect flow all you have to do is to add the
scope to your OAuth2 Authorize Code Flow:
You need to make sure that your OAuth2 Client is allowed to request the
Once you exchange the authorize code for the access and refresh token
you will additionally receive an ID Token:
The ID Token's purpose is to authenticate the End-User at the OAuth2 Client Application. It does not solve session management or anything else (you still have to manage cookies, logout, ... yourself!) - it's just a "certificate".
/userinfo endpoint returns information on a user given an access token.
Since ORY Hydra is agnostic to any end-user data, the
returns only minimal information per default:
Any information set to the key
session.id_token during accepting the consent
request will also be included here.
By making the
/userinfo call with a token issued by this consent request, one
You should only include data that has been authorized by the end-user through an
OAuth 2.0 Scope. If an OAuth 2.0 Client, for example, requests the
and the end-user authorizes that scope, the phone number should be added to
Be aware that the
/userinfoendpoint is public. Its contents are thus as publicly visible as those of ID Tokens. It is therefore imperative to not expose sensitive information without end-user consent.