OIDC

OpenID Connect

Security
Introduced in Rel-13
OpenID Connect (OIDC) is an identity layer built on OAuth 2.0, enabling secure user authentication and authorization in 3GPP networks. It allows applications to verify user identity and obtain basic profile information in an interoperable and RESTful manner, crucial for third-party service access.

Description

OpenID Connect (OIDC) is an identity protocol standardized by the OpenID Foundation and adopted by 3GPP for identity management. It operates as a thin layer on top of the OAuth 2.0 authorization framework, adding an identity layer. OIDC enables Clients (Relying Parties) to verify the identity of an End-User based on the authentication performed by an Authorization Server (OpenID Provider) and to obtain basic profile information about the End-User in an interoperable and REST-like manner. The core component is the ID Token, which is a JSON Web Token (JWT) containing claims about the authentication event and the user. This token is signed and optionally encrypted by the Authorization Server. The protocol uses standard OAuth 2.0 flows (Authorization Code, Implicit, Hybrid) to obtain these tokens. In 3GPP, OIDC is integrated to allow secure access to network APIs and user data by third-party application providers, leveraging the network's authentication capabilities. The architecture involves the User Equipment (UE), the Relying Party (Application Server), and the 3GPP network acting as or integrating with the OpenID Provider. The protocol defines endpoints for discovery, authorization, token issuance, and user information, ensuring a standardized way to achieve single sign-on and identity federation across services.

Purpose & Motivation

OIDC was introduced to address the need for a modern, standardized, and secure identity protocol for internet-scale authentication in mobile networks. Prior to its adoption, proprietary or less interoperable methods were used for third-party access to network authentication asserts. The growth of web and mobile applications requiring secure user login and profile sharing necessitated a solution based on open standards. OIDC solves this by building on the widely adopted OAuth 2.0 framework, providing a defined way to convey identity information. Its creation was motivated by the industry shift towards API-based network exposure (e.g., via SCEF, NEF) and the need to securely authorize third-party applications to access network services and user data without sharing credentials. It addresses limitations of previous SAML-based approaches by being more lightweight, JSON-based, and suited for mobile and RESTful API environments.

Key Features

  • Identity layer on OAuth 2.0
  • ID Token as signed JWT
  • UserInfo endpoint for profile data
  • Standardized discovery mechanism
  • Support for multiple flows (Code, Implicit, Hybrid)
  • Session management capabilities

Evolution Across Releases

Rel-13 Initial

Initial adoption of OpenID Connect core 1.0 specifications within 3GPP for application authentication. It was integrated to provide a standardized framework for third-party applications to verify user identity using the mobile network's authentication, primarily for network API exposure scenarios.

TS 24.482TS 33.179TS 33.180TS 33.879

Defining Specifications

SpecificationTitle
TS 24.482 3GPP TS 24.482
TS 33.179 3GPP TR 33.179
TS 33.180 3GPP TR 33.180
TS 33.879 3GPP TR 33.879