OIDC Internals (Discovery, JWKS, Claims)

What OIDC Adds

• An identity layer on top of OAuth2.
• Standardized id_token with claims about the user.
• Discovery metadata + JWKS for key distribution.

Hard Requirements

• Verify issuer (iss) exactly.
• Verify audience (aud) per client/app.
• Verify token expiry and clock skew policy.
• Use nonce in browser-based flows where applicable.

JWKS Rotation (Ops)

Best practice:
- cache JWKS with TTL
- refresh on unknown kid
- keep previous keys available during rotation
- alert on sudden verify failures

Claims Mapping

• Map stable subject (sub) to your internal user id.
• Avoid using mutable fields (email) as primary identity key.
• Handle email change and verification status explicitly.

Failure Modes

• Issuer drift: accepting multiple issuers accidentally.
• Key confusion: wrong JWKS for issuer/client.
• Audience mismatch: token usable across services if not checked.