Complete Tutorial: JWT (JSON Web Token) & OIDC (OpenID Connect)

1. 🔎 What is JWT?

Definition

• JWT (JSON Web Token) is a compact, URL-safe token format that encodes claims as a JSON object, digitally signed (JWS) or encrypted (JWE).
• Structure: header.payload.signature (Base64URL encoded).

Structure

1. Header → Algorithm & token type (e.g., {"alg":"RS256","typ":"JWT"}).
2. Payload → Claims: identity data & metadata (e.g., sub, exp, aud).
3. Signature → Verifies integrity & authenticity using a secret (HMAC) or key pair (RSA/ECDSA).

2. 🔎 What is OIDC?

Definition

• OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0.
• It adds a standard ID Token (JWT) that represents the user’s identity.
• Provides user authentication, profile info, and single sign-on (SSO).

Key OIDC Tokens

• ID Token (JWT) → proves who the user is.
• Access Token (JWT or opaque) → proves what the client can access.
• Refresh Token → gets new access tokens without re-login.

3. ❓ Why do we need them?

JWT

• Standardized, interoperable way to carry claims.
• Self-contained → no DB lookup needed for validation.
• Compact → good for APIs, mobile, web.
• Works across trust boundaries (issuer → consumer).

OIDC

• Standardized login flows (web, mobile, APIs).
• Federated identity → login with Google, Facebook, enterprise IdPs.
• Simplifies SSO across apps & organizations.
• Adds identity layer missing from OAuth 2.0.

4. ⚙️ How each works

A. JWT Lifecycle

1. Issuer creates token → signs claims with private key.
2. Client receives token → attaches to Authorization: Bearer <token>.
3. Resource server validates:
   • Decode Base64.
   • Verify signature (with shared secret or public key via JWKS).
   • Validate claims (exp, iss, aud).
4. Grant or deny access.

B. OIDC Flow (Authorization Code Grant – most common)

1. User → Client App (e.g., SPA, mobile).
2. Client redirects to IdP (OIDC provider) → login page.
3. User authenticates → IdP issues authorization code.
4. Client exchanges code at IdP’s Token Endpoint → receives:
   • ID Token (JWT) = who user is.
   • Access Token = what user can do.
   • Refresh Token (optional).
5. Client calls backend APIs with access token.
6. APIs validate token signature & claims via JWKS.

5. 🔨 Use Cases

JWT

• Service-to-service authentication (microservices).
• API authorization (validate tokens at API gateway).
• Stateless sessions (store user claims in token instead of DB).
• Delegated authorization (OAuth2 access tokens in JWT form).

OIDC

• User login for apps (web, mobile).
• SSO across multiple apps/domains.
• Federated identity (Google, Facebook, Azure AD).
• Enterprise IAM (Okta, Auth0, Keycloak, Cognito, etc.).

6. 🧠 Advanced Concepts

• JWT Signing Algorithms:
  • Symmetric (HMAC: HS256).
  • Asymmetric (RSA/ECDSA: RS256/ES256).
• JWT Expiration & Rotation:
  • Use short-lived access tokens + long-lived refresh tokens.
• Token Introspection:
  • Sometimes you need central validation (introspection endpoint).
• JWE (Encrypted JWTs):
  • Secure confidentiality, not just integrity.
• Scopes & Claims:
  • OIDC adds standard claims (sub, email, profile).
  • Custom claims supported in JWT payload.
• Delegation:
  • JWTs used in OAuth2 delegation & consent scenarios.

7. 🚫 Limitations & Risks

• JWT Risks:
  • Replay attacks if tokens aren’t short-lived.
  • Revocation is hard (since tokens are self-contained).
  • Bloat if too many claims.
  • “alg:none” attack (misconfigured libraries).
• OIDC Risks:
  • Complexity (many flows, tokens).
  • Misconfigured redirect URIs → open redirect attacks.
  • Token leakage in browser history (if using implicit flow).
  • Reliance on IdP availability.

8. ☁️ Cloud Provider Support

🔷 AWS

• JWT
  • API Gateway HTTP APIs → JWT Authorizer (validate Firebase/Okta/Keycloak/…).
  • Cognito issues JWT access & ID tokens.
  • IAM roles for service-to-service often delivered as JWT (STS, OIDC federation).
• OIDC
  • ALB authenticate-oidc action with Cognito or external OIDC IdP.
  • EKS uses OIDC for IRSA (IAM Roles for Service Accounts).
  • Cognito User Pools = OIDC provider.

🔷 Google Cloud

• JWT
  • Cloud Endpoints & API Gateway validate JWTs.
  • Cloud Run IAM uses Google-signed JWT ID tokens.
  • Firebase Auth issues JWT ID tokens.
• OIDC
  • API Gateway validates OIDC tokens from Firebase/Auth0/etc.
  • Workload Identity Federation uses OIDC for IAM roles.
  • Identity Platform = full OIDC provider.

🔷 Azure

• JWT
  • Azure AD issues JWT access & ID tokens.
  • API Management (APIM) validates JWTs.
• OIDC
  • Azure AD is an OIDC provider.
  • Azure App Service Authentication integrates with OIDC IdPs.
  • AKS workload identity uses OIDC for federated access.

9. 🎯 Practical Patterns

• Users (humans)
  • OIDC login → ID Token (JWT) → proves identity.
  • Access token (JWT) → proves authorization.
• Services (machines)
  • JWT via OAuth2 client credentials or workload identity federation.
• Hybrid
  • Human logs in → gets token → service uses token to call another API.

10. 📌 Quick Comparison Table

✅ In short:

• JWT = a token format for carrying claims, widely used in APIs & services.
• OIDC = a protocol for authenticating users, which issues JWTs (ID tokens).
• Both are essential for modern cloud-native identity & access control.

Rajesh Kumar

I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.

Do you want to learn Quantum Computing?

Please find my social handles as below;

Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND

Rajesh Kumar DailyLogs