OpenID Connect
OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0. Where OAuth 2.0 answers "is this client allowed to do X?", OIDC adds "and who is the user?" by issuing a signed ID token alongside the access token.
TraffiTech implements the standard OIDC Authorization Code flow (with and without PKCE) and follows the OpenID Connect Core 1.0 spec.
Endpoints
These are provided by the TraffiTech OIDC server and discoverable from the well-known document.
| Endpoint | Method | Purpose |
|---|---|---|
/.well-known/openid-configuration | GET | OIDC Discovery - metadata document describing all endpoints, supported scopes, and algorithms |
/auth | GET | Authorization endpoint - where the user is sent to sign in |
/token | POST | Token endpoint - exchange an authorization code (or refresh token) for an ID token + access token |
/jwks | GET | JSON Web Key Set - public keys used to verify ID token signatures |
/userinfo | GET | User info endpoint - returns claims about the authenticated user |
/token/revocation | POST | Revoke an access or refresh token |
/token/introspection | POST | Check whether a token is currently active |
The authoritative source is always the discovery document. Fetch it with:
curl https://oidc.traffitech.com/.well-known/openid-configuration
Supported flows
TraffiTech supports the flows that are safe and current. Implicit flow and the password grant are intentionally not supported - modern clients should use Authorization Code + PKCE instead.
| Flow | Use case |
|---|---|
| Authorization Code + PKCE | Single-page apps and mobile apps. Recommended default. |
| Authorization Code + Client Secret | Confidential web apps that can safely store a secret on a server. |
| Refresh Token | Renew an expired access token without re-prompting the user. Issued when offline_access is in the requested scope. |
Scopes
| Scope | Returns |
|---|---|
openid | Required - signals an OIDC request (vs. plain OAuth 2.0). Produces an ID token. |
profile | Profile claims: name, given_name, family_name |
email | email and email_verified claims |
offline_access | Issues a refresh token so the client can renew without user interaction |
ID tokens
The ID token is a JWT signed with one of the keys published at /jwks. Typical claims:
| Claim | Meaning |
|---|---|
iss | Issuer - always https://oidc.traffitech.com |
sub | Subject - the user's unique, stable identifier |
aud | Audience - your client_id |
exp | Expiration (unix seconds) |
iat | Issued-at time |
email, email_verified | If email scope requested |
name, given_name, family_name | If profile scope requested |
Always verify the ID token on the client side:
- Fetch the JWKS from
/jwks(cache per discovery document'skidrotation). - Verify the signature against the matching key.
- Verify
iss,aud, andexp. - Verify the
nonceyou sent in the authorization request matches the one in the token.
Any standard JWT library handles this. Do not hand-roll the verification.
Clients
OIDC clients (your applications) are registered by the TraffiTech administrator. To integrate an app, contact your administrator to obtain:
- A
client_id(andclient_secretif your app is a confidential web app) - The allowed redirect URIs that can be registered
- The grant types your client is permitted to use
Once registered, point a standard OIDC library at https://oidc.traffitech.com and the discovery document will tell it everything else it needs.
Further reading
- OpenID Connect Core 1.0 - the spec