¶ What is ID Token

In the OIDC protocol, you will encounter three types of tokens: id_token, access_token and refresh_token. This article will introduce what is ID Token, you can also read separately:

• What is Access Token
• What is Refresh Token

The most important extension of the OIDC (OpenID Connect) protocol (opens new window) to the OAuth 2.0 protocol (opens new window) is the ID Token data structure. ID Token is equivalent to the user's identity credential. The developer's front-end can carry ID Token when accessing the back-end interface. Developer server can verify the user's ID Token to determine the user's identity. After passing verification, relevant resources are returned.

ID Token is essentially a JWT Token, which contains key/value pairs related to the user's identity information, for example:

{
  "iss": "https://server.example.com",
  "sub": "24400320", // Abbreviation of subject, which is the user ID
  "aud": "s6BhdRkqt3",
  "nonce": "n-0S6_WzA2Mj",
  "exp": 1311281970,
  "iat": 1311280970,
  "auth_time": 1311280969,
  "acr": "urn:mace:incommon:iap:silver"
}

ID Token is essentially a JWT Token, which means:

• The user's identity information is directly encoded into id_token, you don't need to request additional resources to obtain user information;
• id_token can verify that it has not been tampered with. For details, please see How to Verify ID Token.

¶ ID Token complete field meaning

Refer to OIDC specification (opens new window)