OpenID Connect is a layer on top of OAuth introduced in 2015. The success of OpenID Connect is that it returns the simple JSON-based identity tokens (JWT) {pronounced as Jawt} signed by the OpenID provider (OP) through OAuth protocol to suit web, mobile, and browser-based applications. In comparison to OAuth, Open ID Connect actually tells about the user's identity information and instead of getting the access details, it tells exactly about the user accessing a resource. Consider the following diagram:

We can relate an Identity token to a driving license that contains driver information such as license number, license expiry, first name, last name, type of vehicle permitted, and so on.

The Identity token is encoded into the base 64 URL-safe string that contains information such as subject (sub), issuing authority (iss), audience (aud), and more. It may also contain some extra information about the user or custom claims in a set of scopes.

When the user is authenticated, the Identity token is returned to the client application in a secure manner and it can be used to retrieve the access token. The authorization server reads this identity token and verifies whether the user is valid to access the authorized resource and generate the access token.

Here is the sample JWT token representation:

    { 
        "typ": "JWT", 
        "alg": "H5256" 
    }, 
      { 
          "sub": "5c610ea3-2e19-4f1a-9c42-19f03539bad7", 
          "aud":"ea", 
          "iss":"https://ea/identity", 
          "exp": 1554422985, 
          "auth_time": 1554422985 
          "given_name":"John", 
          "family_Name":"Scott", 
          "scope":["read","write"] 
      }

You can learn more about OpenID Connect specification at http://openid.net/specs/openid-connect-core-1_0.html.