openid-connect

OpenID Connect identity layer. Use for SSO.

7 stars

byG1Joshi

View on GitHub Installation ↓

Best use case

openid-connect is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

OpenID Connect identity layer. Use for SSO.

Teams using openid-connect should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/openid-connect/SKILL.md --create-dirs "https://raw.githubusercontent.com/G1Joshi/Agent-Skills/main/skills/security/openid-connect/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/openid-connect/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How openid-connect Compares

Feature / Agent	openid-connect	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

OpenID Connect identity layer. Use for SSO.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# OpenID Connect (OIDC)

OIDC extends OAuth 2.0 to provide **Identity**. While OAuth handles "Access" (Authorization), OIDC handles "Who are you?" (Authentication).

## When to Use

- **Single Sign-On (SSO)**: One login for multiple apps.
- **User Profile**: Getting `name`, `email`, `picture` from a provider.
- **Enterprise Identity**: Connecting to Active Directory via OIDC.

## Quick Start

```http
// Request
GET /authorize?
  response_type=code&
  scope=openid profile email&  <-- 'openid' scope triggers OIDC
  client_id=...&
  redirect_uri=...

// Token Response
{
  "access_token": "SlAV32hkKG...", // For API access
  "id_token": "eyJ0eXKiOiJK...",   // JWT containing User Profile
  "expires_in": 3600
}
```

## Core Concepts

### ID Token

A JSON Web Token (JWT) that contains claims (assertions) about the authentication event and the user.

### UserInfo Endpoint

A standard OAuth protected endpoint (`/userinfo`) where you can send the Access Token to get more user details.

### Scopes

- `openid`: Required to use OIDC.
- `profile`: Request access to name, picture, etc.
- `email`: Request access to email.

## Common Patterns

### Discovery Endpoint

`/.well-known/openid-configuration`. A JSON file that lists the issuer, authorization endpoint, token endpoint, and public keys (JWKS) automatically.

## Best Practices

**Do**:

- Validate the **ID Token Signature** (using JWKS).
- Check the **Audience** (`aud`) claim matches your Client ID.
- Check the **Issuer** (`iss`) claim matches the provider.
- Use **Nonce** to prevent replay attacks.

**Don't**:

- Don't treat the Access Token as an ID Token (Access Tokens are opaque strings in standard OAuth, though often JWTs in practice).
- Don't accept unsigned ID tokens (algorithm `none`).

## Troubleshooting

| Error               | Cause                         | Solution                                  |
| :------------------ | :---------------------------- | :---------------------------------------- |
| `id_token missing`  | Scope `openid` not requested. | Add `openid` to scopes.                   |
| `Signature Invalid` | Wrong Public Key.             | Refresh JWKS from the discovery endpoint. |

## References

- [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html)
- [OIDC Playground](https://openidconnect.net/)