OpenID Connect (OIDC) is an authentication protocol built on top of OAuth 2.0. It allows clients (like web or mobile apps) to verify the identity of a user who logs in via an external identity provider (IdP) — such as Google, Microsoft, Apple, etc.
OAuth 2.0 → handles authorization (access to resources)
OpenID Connect → handles authentication (who is the user?)
User clicks "Login with Google"
Your app redirects the user to Google’s login page
After successful login, Google redirects back with an ID token
Your app validates this JWT token
You now know who the user is — verified by Google
The ID token is a JSON Web Token (JWT) containing user identity data, like:
{
"iss": "https://accounts.google.com",
"sub": "1234567890",
"name": "John Doe",
"email": "john@example.com",
"iat": 1650000000,
"exp": 1650003600
}
iss
= issuer (e.g. Google)
sub
= user ID
email
, name
= user info
iat
, exp
= issued at / expiration
“Login with Google/Microsoft/Apple”
Single Sign-On (SSO) in organizations
Centralized user identity (Keycloak, Auth0, Azure AD)
OAuth APIs that require identity verification
Component | Description |
---|---|
Relying Party | Your app (requests login) |
Identity Provider | External login provider (e.g. Google) |
ID Token | JWT containing the user’s identity |
UserInfo Endpoint | (Optional) endpoint for additional user data |
CORS (Cross-Origin Resource Sharing) is a security mechanism implemented by web browsers to control which websites can access resources from other domains. By default, browsers block cross-origin requests—requests made from one website to another domain, protocol, or port—for security reasons.
Without CORS, malicious websites could secretly send requests to other servers (e.g., API servers or banking sites), potentially stealing or misusing sensitive data (Cross-Site Request Forgery, CSRF). CORS ensures that only explicitly allowed websites can access resources.
When a web application makes a cross-origin request (e.g., from http://example.com
to https://api.example.com
), the browser automatically sends a CORS request. The server must then respond with specific HTTP headers to indicate whether the request is allowed:
Without CORS headers:
The browser blocks the request.
With CORS headers:
The server can respond with Access-Control-Allow-Origin: *
(allowing all domains) or a specific domain (Access-Control-Allow-Origin: https://example.com
). This enables access.
For certain requests (e.g., PUT
, DELETE
, or requests with custom headers), the browser sends a preflight request using the OPTIONS
method. The server must respond with the correct CORS headers to allow the main request.
CORS is a crucial security measure that prevents unauthorized websites from accessing foreign resources. Developers must configure the correct server-side headers to allow legitimate clients to access the data.
A web application firewall (WAF) is a security solution that has been specially developed to protect web applications. It monitors traffic between web browsers and web applications to detect and block potentially harmful or unwanted activity. Essentially, a WAF acts as a shield that protects web applications from a variety of attacks, including
Obfuscation is a process where the source code of a program is altered to make it difficult for humans to understand while maintaining its functionality. This is often done to protect the source code from reverse engineering or to make it more compact without affecting functionality. Techniques such as renaming variables and functions, adding unnecessary code, or altering the program's structure are used. Obfuscation is commonly employed in software development, especially in the creation of commercial software products or in providing software as a service (SaaS), to protect intellectual property and make unwanted manipulation more difficult