Decode Azure AD v2 id_token


How to decode the id_token value received from Azure AD v2.0 authentication response?



According to the "RFC 7519 - JWT (JSON Web Token)" standard, the "id_token" value received from Azure AD authentication response should be decoded as below:

  • Splitting the encoded string into 3 components: Header, Body, and Signature by the dot "." delimiter: headerEncoded.bodyEncoded.signatureEncoded
  • Get the header in JSON string as headerJSON = base64url_decode(headerEncoded).
  • Get the body in JSON string as bodyJSON = base64url_decode(bodyEncoded).
  • Get the signature in JSON string as signatureJSON = base64url_decode(signatureEncoded).

Here is an example of PHP script, openID_receiver.php, that decodes all 3 components of the "id_token" value received in the Authentication Response:

$id_token = $_REQUEST["id_token"];
$parts = explode(".", $id_token);

$header = $parts[0];
$header = str_replace('/','_',$header);
$header = str_replace('+','-',$header);
$header = json_decode(base64_decode($header));
echo json_encode($header,JSON_PRETTY_PRINT);
# ready to retrieve header attributes

$body = $parts[1];
$body = str_replace('/','_',$body);
$body = str_replace('+','-',$body);
$body = json_decode(base64_decode($body));
echo json_encode($body,JSON_PRETTY_PRINT);
# ready to retrieve body attributes

$signature = $parts[2];
$signature = str_replace('/','_',$signature);
$signature = str_replace('+','-',$signature);
$signature = base64_decode($signature);
# ready for signature validation


Azure AD v2 id_token Decoded Example

Build Implicit Flow with Azure AD v2

Azure AD Integration v2.0

⇑⇑ OpenID Tutorials

2019-04-03, 206👍, 0💬