OpenIDConnect (OIDC) is a flow used for authenticating users. This is distinct from authorization; the goal of authorization is to give a permission to do something, where as with authentication the goal is to identify the user reliably.

The task QTBUG-124334 is about adding some convenience support for acquiring the id_token, which can then mostly be treated as an opaque token for accessing web resources.

However, the OpenID Connect specification defines a more broad set of features. This Jira item is a placeholder item for these features, and any discussion around them.

Current understanding on which features this might entail (a "base feature-set" if you will):

• JWT verification and data access
  • Decode JWT, verify signature, extract claims and expiration
  • Probably requires a new value class (QJsonWebToken), and maybe QOpenIDConnect for verification?
• JWT endpoint discovery
  • Probably requires a new Qt class (QOpenIDConnect?)
  • Retrieve endpoints and public keys required for JWT verification
• OIDC UserInfo support
  • Probably requires a new Qt class (QOpenIDConnect?)

There are many more features that might be useful as well:

• Encrypted token support (JWE)
• Session management (SSO shared between local applications)
• Dynamic client registration
• WebFinger (RFC 7033)
• Creating new JWTs in the Qt application