ID Token in OpenID Connect

Post author:anis kchaou
Post published:October 9, 2025
Post category:Uncategorized
Post comments:0 Comments
Post last modified:October 9, 2025

🔐 ID Token in OpenID Connect (OIDC)

Definition:
An ID Token is a JSON Web Token (JWT) issued by an Identity Provider (IdP) that proves the identity of a user to a client application.

While OAuth 2.0 is primarily about authorization (access to resources), the ID Token is about authentication — confirming who the user is.
The ID Token is digitally signed, so the client can verify it came from a trusted IdP and hasn’t been tampered with.

🧾 Structure of an ID Token (JWT)

JWTs are compact, URL-safe tokens with three parts, separated by dots (.):

HEADER.PAYLOAD.SIGNATURE

HEADER.PAYLOAD.SIGNATURE

1️⃣ Header

Metadata about the token and signing algorithm.
Example:

{
  "alg": "RS256",
  "typ": "JWT"
}

{
  "alg": "RS256",
  "typ": "JWT"
}

2️⃣ Payload (Claims)

Contains user information and other data (called claims).
Example:

{
  "iss": "https://accounts.google.com",      // Issuer (IdP)
  "sub": "1122334455",                        // User ID
  "aud": "client_id_123",                     // Audience (client app)
  "exp": 1739053600,                          // Expiration timestamp
  "iat": 1739050000,                          // Issued at timestamp
  "email": "alice@gmail.com",                 // User info
  "name": "Alice Johnson"
}

{
  "iss": "https://accounts.google.com",      // Issuer (IdP)
  "sub": "1122334455",                        // User ID
  "aud": "client_id_123",                     // Audience (client app)
  "exp": 1739053600,                          // Expiration timestamp
  "iat": 1739050000,                          // Issued at timestamp
  "email": "alice@gmail.com",                 // User info
  "name": "Alice Johnson"
}

Common Claims in ID Token:

Claim	Meaning
`iss`	Identity provider that issued the token
`sub`	Unique identifier for the user
`aud`	Intended recipient (the client app)
`exp`	Expiration time
`iat`	Issued-at time
`name`	User’s full name
`email`	User’s email address

3️⃣ Signature

Ensures the token hasn’t been altered.
Signed by the IdP using RSA or HMAC algorithms.
Client verifies this signature using the IdP’s public key.

🔄 How the ID Token Works in OIDC Flow

User logs in via Identity Provider.
IdP authenticates the user and issues:
- ID Token (JWT) → verifies the user’s identity
- Access Token → allows access to APIs (optional)
Client application receives the ID Token and:
- Validates signature and claims
- Extracts user info (email, name, user ID)
User is now authenticated in the application without a separate password.

💡 Example (Decoded ID Token Payload)

{
  "iss": "https://accounts.google.com",
  "sub": "1122334455",
  "aud": "myapp_123",
  "exp": 1739053600,
  "iat": 1739050000,
  "email": "alice@gmail.com",
  "name": "Alice Johnson",
  "email_verified": true
}

{
  "iss": "https://accounts.google.com",
  "sub": "1122334455",
  "aud": "myapp_123",
  "exp": 1739053600,
  "iat": 1739050000,
  "email": "alice@gmail.com",
  "name": "Alice Johnson",
  "email_verified": true
}

This tells the app:

The user is Alice, verified by Google.
The token expires at a specific time.
The token is intended only for this application (aud claim).

✅ Key Points

ID Token ≠ Access Token:
- ID Token → Authentication (who the user is)
- Access Token → Authorization (what the app can do)
JWT format: Compact, URL-safe, signed, and optionally encrypted.
Verified by the client to ensure authenticity.
Contains claims about the user and token validity.

🔐 ID Token in OpenID Connect (OIDC)

🧾 Structure of an ID Token (JWT)

1️⃣ Header

2️⃣ Payload (Claims)

3️⃣ Signature

🔄 How the ID Token Works in OIDC Flow

💡 Example (Decoded ID Token Payload)

✅ Key Points

You Might Also Like

Palindrome checking in Java

HTTP status codes

StringBuffer and StringBuilder in Java

Java keywords static, final, super, and this

Liquibase with Spring Boot

Leave a Reply Cancel reply