What is OIDC? OpenID Connect

Description

OpenID Connect (OIDC) is an identity protocol standardized by the OpenID Foundation and adopted by 3GPP for identity management. It operates as a thin layer on top of the OAuth 2.0 authorization framework, adding an identity layer. OIDC enables Clients (Relying Parties) to verify the identity of an End-User based on the authentication performed by an Authorization Server (OpenID Provider) and to obtain basic profile information about the End-User in an interoperable and REST-like manner. The core component is the ID Token, which is a JSON Web Token (JWT) containing claims about the authentication event and the user. This token is signed and optionally encrypted by the Authorization Server. The protocol uses standard OAuth 2.0 flows (Authorization Code, Implicit, Hybrid) to obtain these tokens. In 3GPP, OIDC is integrated to allow secure access to network APIs and user data by third-party application providers, leveraging the network's authentication capabilities. The architecture involves the User Equipment (UE), the Relying Party (Application Server), and the 3GPP network acting as or integrating with the OpenID Provider. The protocol defines endpoints for discovery, authorization, token issuance, and user information, ensuring a standardized way to achieve single sign-on and identity federation across services.

Purpose & Motivation

OIDC was introduced to address the need for a modern, standardized, and secure identity protocol for internet-scale authentication in mobile networks. Prior to its adoption, proprietary or less interoperable methods were used for third-party access to network authentication asserts. The growth of web and mobile applications requiring secure user login and profile sharing necessitated a solution based on open standards. OIDC solves this by building on the widely adopted OAuth 2.0 framework, providing a defined way to convey identity information. Its creation was motivated by the industry shift towards API-based network exposure (e.g., via SCEF, NEF) and the need to securely authorize third-party applications to access network services and user data without sharing credentials. It addresses limitations of previous SAML-based approaches by being more lightweight, JSON-based, and suited for mobile and RESTful API environments.

Classification

Part ofJWT

Related approaches

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (1 CRs across 1 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-13, normative work from Rel-19.

Rel-19 1 change

In Release 19, the primary new introduction for the OIDC function is the "OIDC Client Registration" capability for the Identity Management System (IdMS). This addition formalizes the process for an IdM client to register with the IdM server, establishing the necessary client credentials before initiating the existing OpenID Connect-based user authentication procedures for Mission Critical services as defined in the architecture.

IdMS - OIDC Client Registration TS 33.180CR0216

Explore further

Broader topics and technologies where OIDC plays a role.

Topics

SON (Self-Organizing Networks)Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)MEC (Edge Computing)Lawful Intercept Management & Operations

Defining Specifications

3GPP specifications that define or reference OIDC, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

Specification	Title	Release
TS 24.482 vj00	Mission Critical Services Identity Management	Rel-19
TS 33.179 vdc0	MCPTT Security Architecture and Procedures	Rel-13
TS 33.180 vk00	Security of Mission Critical (MC) Service	Rel-20
TS 33.879 vd10	MCPTT Security Study	Rel-13