What OIDC does
OAuth 2.0 primarily handles authorisation – granting access to resources. OpenID Connect extends this by adding an authentication layer. It introduces the ID token, a signed JWT containing claims about the user, and the UserInfo Endpoint, which provides more detailed user profile information. OIDC also leverages the Discovery Document, a standardised endpoint that allows applications to dynamically learn about the identity provider's configuration, reducing hardcoded values and simplifying integration.
OIDC in Australian tenants today
In AU mid-market Microsoft 365 environments, OIDC is increasingly the default authentication protocol. Modern SaaS applications, Single Page Applications (SPAs) utilising MSAL.js, and mobile applications commonly leverage OIDC for streamlined and secure user authentication. When deploying applications integrated with Entra ID, consider OIDC’s benefits for improved security and compliance, aligning with the ACSC Essential Eight’s focus on minimising the attack surface. Compliance obligations such as APRA CPS 234 and CPS 230 increasingly require robust identity management practices, which OIDC facilitates.