Skip to content


What is OpenID Connect?

OpenID Connect is a standard that is built on top of Oauth 2.0. It provides support for user authentication, and among others, allow the clients to obtain end-user identity attributes in an interoperable manner and manage multiple sessions. It is meant to be a lightweight, modern, JSON-based alternative for SAML.

The OpenID Connect specification defines Relying Party (RP) as an OAuth 2.0 Client requiring End-User authentication, and OpenID Provider (OP) as an OAuth 2.0 Authentication Server which performs this authentication. As a result of successful authentication, the OpenID Provider issues an ID Token which is a JWT-compliant JSON object containing a set of claims - user identity attributes.

OneWelcome Access acts as an OpenID Provider which manages the ID Tokens and authentication process. OneWelcome Access, however, does not manage the identity by itself, the actual authentication is delegated to an Identity Provider.


OneWelcome Access implements OpenID Connect Discovery which enables a Relying Party to determine the capabilities of the OpenID Provider at runtime. See Discovery API for the API reference.


OneWelcome Access exposes claims via User Info endpoint. See User Info for the API reference.

Json Web Key Set

OneWelcome Access exposes keys used for calculating the digital signature of the ID Token via the JWKS endpoint.

ID Token encryption (JSON Web Encryption)

The ID Token can be encrypted to hide sensitive claims. By default this feature is turned off. See ID Token encryption for more information.

Session management

OneWelcome Access supports session management. See Session Management for more details.