What is id_token used in OpenID Connect protocol?

"id_token" is Base64URL encoded string returned from the authentication service provider after the user successfully finishes the authentication process.

"id_token" follows the "RFC 7519 - JWT (JSON Web Token)" to encode authentication information. You should use the following logic to decode the "id_token" value:

• Splitting the encoded string into 3 components: Header, Body, and Signature by the dot "." delimiter: headerEncoded.bodyEncoded.signatureEncoded
• Get the header in JSON string as headerJSON = base64url_decode(headerEncoded).
• Get the body in JSON string as bodyJSON = base64url_decode(bodyEncoded).
• Get the signature in JSON string as signatureJSON = base64url_decode(signatureEncoded).
• Validate the signature using the algorithm given in the header.
• If the signature is good, take the information in the body and continue.

Here is example of an id_token string:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

After splitting and Base64URL decoding, we have:

Header =
{
  "alg": "HS256",
  "typ": "JWT"
}

Body = 
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature = 0x
49f94ac7044948c78a285d904f87f0a4c7897f7e8f3a4eb2255fda750b2cc397

The "Body" component in an id_token is also called "Payload", or "Claim" of an authentication.

By the way, Base64URL encoding is same as Base64 encoding except for 2 encoding characters: "_" is used instead of "/", and "-" is used instead of "+". This is to make the encoded string URL safe.

 

⇒ What Is the Authentication Claim in id_token

⇐ OpenID Connect Authorization Code Flow

⇑ OpenID Connect Authentication Flows

⇑⇑ OpenID Tutorials