The authorize URI on the authorization server is where an OIDC flow starts.
The redirect URI tells the issuer where to redirect the browser back to when the flow is done.
Every client (website or mobile app) is identified by a client ID.
Unlike a client secret, the client ID is a public value that does not have to be protected.
Clients can request additional information or permissions via scopes.
The openid
scope is the only required scope.
The OpenID Connect spec defines some standard scopes,
and applications can define their own custom scopes as well.
The state is an optional value that is carried through the whole flow and returned to the client.
It's common to use state to store an anti-forgery token that can be verified after the login flow is complete. Another common use is storing the location the user should be redirected to after logging in.
A nonce (or number used once) is a random value that is used to prevent replay attacks.
I'd like to make it better for you! Mind taking a 3-minute survey?