Home

IDTokens

ID Tokens are a type of security token used in OpenID Connect to convey information about a user’s authentication to a client. They are typically JSON Web Tokens (JWTs) issued by the OpenID Provider (OP) after a user successfully authenticates, and are delivered to the relying party (RP) as part of the authentication response.

The primary purpose of an ID Token is to prove that the user has been authenticated and

A standard ID Token contains claims such as iss (issuer), sub (subject identifier for the user), aud

Validation is essential: clients must verify the token’s signature using the OP’s public keys, check that the

to
convey
basic
identity
information
to
the
client.
It
is
distinct
from
access
tokens,
which
are
used
to
authorize
access
to
protected
resources.
In
many
OpenID
Connect
flows,
an
ID
Token
is
returned
along
with
an
access
token
and,
in
some
cases,
an
authorization
code.
(audience,
typically
the
client),
exp
(expiration
time),
iat
(issued
at
time),
and
optionally
nonce
(to
mitigate
replay
attacks).
It
may
also
include
auth_time
(time
of
user
authentication)
and
acr
(authentication
context).
Depending
on
the
response
type
and
configuration,
it
can
include
user
attributes
as
claims,
such
as
name,
email,
or
picture,
and
may
include
at_hash
or
c_hash
when
paired
with
an
access
token
or
authorization
code.
issuer
and
audience
are
correct,
ensure
the
token
is
not
expired,
and
validate
the
nonce
if
one
was
used
in
the
authentication
request.
ID
Tokens
should
be
treated
as
tokens
asserting
identity
and
not
as
tokens
authorizing
resource
access;
proper
validation
and
secure
handling
are
required
to
maintain
security
in
authentication
flows.