1. 🔎 What is JWT?
Definition
- JWT (JSON Web Token) is a compact, URL-safe token format that encodes claims as a JSON object, digitally signed (JWS) or encrypted (JWE).
- Structure:
header.payload.signature(Base64URL encoded).
Structure
- Header → Algorithm & token type (e.g.,
{"alg":"RS256","typ":"JWT"}). - Payload → Claims: identity data & metadata (e.g.,
sub,exp,aud). - Signature → Verifies integrity & authenticity using a secret (HMAC) or key pair (RSA/ECDSA).
2. 🔎 What is OIDC?
Definition
- OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0.
- It adds a standard ID Token (JWT) that represents the user’s identity.
- Provides user authentication, profile info, and single sign-on (SSO).
Key OIDC Tokens
- ID Token (JWT) → proves who the user is.
- Access Token (JWT or opaque) → proves what the client can access.
- Refresh Token → gets new access tokens without re-login.
3. ❓ Why do we need them?
JWT
- Standardized, interoperable way to carry claims.
- Self-contained → no DB lookup needed for validation.
- Compact → good for APIs, mobile, web.
- Works across trust boundaries (issuer → consumer).
OIDC
- Standardized login flows (web, mobile, APIs).
- Federated identity → login with Google, Facebook, enterprise IdPs.
- Simplifies SSO across apps & organizations.
- Adds identity layer missing from OAuth 2.0.
4. ⚙️ How each works
A. JWT Lifecycle
- Issuer creates token → signs claims with private key.
- Client receives token → attaches to
Authorization: Bearer <token>. - Resource server validates:
- Decode Base64.
- Verify signature (with shared secret or public key via JWKS).
- Validate claims (
exp,iss,aud).
- Grant or deny access.
B. OIDC Flow (Authorization Code Grant – most common)
- User → Client App (e.g., SPA, mobile).
- Client redirects to IdP (OIDC provider) → login page.
- User authenticates → IdP issues authorization code.
- Client exchanges code at IdP’s Token Endpoint → receives:
- ID Token (JWT) = who user is.
- Access Token = what user can do.
- Refresh Token (optional).
- Client calls backend APIs with access token.
- APIs validate token signature & claims via JWKS.
5. 🔨 Use Cases
JWT
- Service-to-service authentication (microservices).
- API authorization (validate tokens at API gateway).
- Stateless sessions (store user claims in token instead of DB).
- Delegated authorization (OAuth2 access tokens in JWT form).
OIDC
- User login for apps (web, mobile).
- SSO across multiple apps/domains.
- Federated identity (Google, Facebook, Azure AD).
- Enterprise IAM (Okta, Auth0, Keycloak, Cognito, etc.).
6. 🧠 Advanced Concepts
- JWT Signing Algorithms:
- Symmetric (HMAC: HS256).
- Asymmetric (RSA/ECDSA: RS256/ES256).
- JWT Expiration & Rotation:
- Use short-lived access tokens + long-lived refresh tokens.
- Token Introspection:
- Sometimes you need central validation (introspection endpoint).
- JWE (Encrypted JWTs):
- Secure confidentiality, not just integrity.
- Scopes & Claims:
- OIDC adds standard claims (
sub,email,profile). - Custom claims supported in JWT payload.
- OIDC adds standard claims (
- Delegation:
- JWTs used in OAuth2 delegation & consent scenarios.
7. 🚫 Limitations & Risks
- JWT Risks:
- Replay attacks if tokens aren’t short-lived.
- Revocation is hard (since tokens are self-contained).
- Bloat if too many claims.
- “alg:none” attack (misconfigured libraries).
- OIDC Risks:
- Complexity (many flows, tokens).
- Misconfigured redirect URIs → open redirect attacks.
- Token leakage in browser history (if using implicit flow).
- Reliance on IdP availability.
8. ☁️ Cloud Provider Support
🔷 AWS
- JWT
- API Gateway HTTP APIs → JWT Authorizer (validate Firebase/Okta/Keycloak/…).
- Cognito issues JWT access & ID tokens.
- IAM roles for service-to-service often delivered as JWT (STS, OIDC federation).
- OIDC
- ALB
authenticate-oidcaction with Cognito or external OIDC IdP. - EKS uses OIDC for IRSA (IAM Roles for Service Accounts).
- Cognito User Pools = OIDC provider.
- ALB
🔷 Google Cloud
- JWT
- Cloud Endpoints & API Gateway validate JWTs.
- Cloud Run IAM uses Google-signed JWT ID tokens.
- Firebase Auth issues JWT ID tokens.
- OIDC
- API Gateway validates OIDC tokens from Firebase/Auth0/etc.
- Workload Identity Federation uses OIDC for IAM roles.
- Identity Platform = full OIDC provider.
🔷 Azure
- JWT
- Azure AD issues JWT access & ID tokens.
- API Management (APIM) validates JWTs.
- OIDC
- Azure AD is an OIDC provider.
- Azure App Service Authentication integrates with OIDC IdPs.
- AKS workload identity uses OIDC for federated access.
9. 🎯 Practical Patterns
- Users (humans)
- OIDC login → ID Token (JWT) → proves identity.
- Access token (JWT) → proves authorization.
- Services (machines)
- JWT via OAuth2 client credentials or workload identity federation.
- Hybrid
- Human logs in → gets token → service uses token to call another API.
10. 📌 Quick Comparison Table
| Feature | JWT | OIDC |
|---|---|---|
| Type | Token format | Authentication protocol |
| Who issues | Any IdP or app | OIDC-compliant IdP |
| Who uses | Apps, APIs, services | Apps authenticating human users |
| Scope | Authorization, service identity | Authentication + identity + SSO |
| Token | Access token (JWT) | ID token (JWT) + access token |
| Cloud use | API Gateway, STS, workload ID | Cognito, Firebase, Azure AD, Keycloak |
✅ In short:
- JWT = a token format for carrying claims, widely used in APIs & services.
- OIDC = a protocol for authenticating users, which issues JWTs (ID tokens).
- Both are essential for modern cloud-native identity & access control.
I’m Rajesh Kumar, a DevOps, SRE, DevSecOps, Cloud, and Platform Engineering expert passionate about sharing practical knowledge, real-world experiences, and industry best practices. I have worked at Cotocus and regularly write about technology, travel, investing, health, product reviews, and digital marketing through my various platforms.
I publish technical articles at DevOps School, travel stories at Holiday Landmark, stock market insights at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow, and SEO and digital marketing strategies at Wizbrand.
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services — all in one place.
Explore Hospitals
Thanks for this complete tutorial on JWT and OpenID Connect! I like how the explanations are clear and easy to follow — it really helps anyone trying to understand authentication concepts from scratch. Very useful guide!