Federated Identity Management (FIM) specifications have been massively adopted in web, cloud and mobile environments during the last years. Facebook, Google, Twitter, Linkedin, Amazon, Microsoft or Salesforce, to mention only some significant examples, are actively supporting standards such as OAuth or OpenID Connect, becoming in many cases identity providers. This last specification is able to solve identification, authentication, authorization and accounting (IAAA) with one unified flow and two tokens; making logging easier, safer and more secure when compared with previous solutions. Naturally, experts are predicting a widespread adoption of OpenID Connect in the next years not only in web, cloud or mobile environments but also in Fog Computing, IoT or Smart Places. To better understand the threats that this specification poses, this work presents a thorough threat modelling of OpenID Connect core specification and its current implementations. Threats for security and privacy and up to 16 different attack patterns have been identified, analysed and described. Furthermore, possible mitigations and solutions are proposed for both, specification and implementation aspects.