ID tokens in the Microsoft identity platform - Microsoft identity platform (2024)

Table of Contents
In this article Token formats Sample v1.0 ID token Sample v2.0 ID token Token lifetime Validate tokens See also Next steps FAQs
  • Article

The authorization server issues ID tokens that contain claims that carry information about the user. They can be sent alongside or instead of an access token. Information in ID tokens enables the client to verify that a user is who they claim to be.

See Also
ID TokensWhat is the difference between a session and a token?ID tokens vs Access TokensID Tokens vs Access Tokens: What’s the Difference? - TCM Security

Third-party applications are intended to understand ID tokens. ID tokens shouldn't be used for authorization purposes. Access tokens are used for authorization. The claims provided by ID tokens can be used for UX inside your application, as keys in a database, and providing access to the client application. For more information about the claims used in an ID token, see the ID token claims reference. For more information about claims-based authorization, see Secure applications and APIs by validating claims.

Token formats

There are two versions of ID tokens available in the Microsoft identity platform: v1.0 and v2.0. These versions determine the claims that are in the token. The v1.0 and v2.0 ID tokens have differences in the information they carry. The version is based on the endpoint from where it was requested. New applications should use the v2.0.

  • v1.0: https://login.microsoftonline.com/common/oauth2/authorize
  • v2.0: https://login.microsoftonline.com/common/oauth2/v2.0/authorize

Sample v1.0 ID token

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjdfWnVmMXR2a3dMeFlhSFMzcTZsVWpVWUlHdyIsImtpZCI6IjdfWnVmMXR2a3dMeFlhSFMzcTZsVWpVWUlHdyJ9.eyJhdWQiOiJiMTRhNzUwNS05NmU5LTQ5MjctOTFlOC0wNjAxZDBmYzljYWEiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9mYTE1ZDY5Mi1lOWM3LTQ0NjAtYTc0My0yOWYyOTU2ZmQ0MjkvIiwiaWF0IjoxNTM2Mjc1MTI0LCJuYmYiOjE1MzYyNzUxMjQsImV4cCI6MTUzNjI3OTAyNCwiYWlvIjoiQVhRQWkvOElBQUFBcXhzdUIrUjREMnJGUXFPRVRPNFlkWGJMRDlrWjh4ZlhhZGVBTTBRMk5rTlQ1aXpmZzN1d2JXU1hodVNTajZVVDVoeTJENldxQXBCNWpLQTZaZ1o5ay9TVTI3dVY5Y2V0WGZMT3RwTnR0Z2s1RGNCdGsrTExzdHovSmcrZ1lSbXY5YlVVNFhscGhUYzZDODZKbWoxRkN3PT0iLCJhbXIiOlsicnNhIl0sImVtYWlsIjoiYWJlbGlAbWljcm9zb2Z0LmNvbSIsImZhbWlseV9uYW1lIjoiTGluY29sbiIsImdpdmVuX25hbWUiOiJBYmUiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcvIiwiaXBhZGRyIjoiMTMxLjEwNy4yMjIuMjIiLCJuYW1lIjoiYWJlbGkiLCJub25jZSI6IjEyMzUyMyIsIm9pZCI6IjA1ODMzYjZiLWFhMWQtNDJkNC05ZWMwLTFiMmJiOTE5NDQzOCIsInJoIjoiSSIsInN1YiI6IjVfSjlyU3NzOC1qdnRfSWN1NnVlUk5MOHhYYjhMRjRGc2dfS29vQzJSSlEiLCJ0aWQiOiJmYTE1ZDY5Mi1lOWM3LTQ0NjAtYTc0My0yOWYyOTU2ZmQ0MjkiLCJ1bmlxdWVfbmFtZSI6IkFiZUxpQG1pY3Jvc29mdC5jb20iLCJ1dGkiOiJMeGVfNDZHcVRrT3BHU2ZUbG40RUFBIiwidmVyIjoiMS4wIn0=.UJQrCA6qn2bXq57qzGX_-D3HcPHqBMOKDPx4su1yKRLNErVD8xkxJLNLVRdASHqEcpyDctbdHccu6DPpkq5f0ibcaQFhejQNcABidJCTz0Bb2AbdUCTqAzdt9pdgQvMBnVH1xk3SCM6d4BbT4BkLLj10ZLasX7vRknaSjE_C5DI7Fg4WrZPwOhII1dB0HEZ_qpNaYXEiy-o94UJ94zCr07GgrqMsfYQqFR7kn-mn68AjvLcgwSfZvyR_yIK75S_K37vC3QryQ7cNoafDe9upql_6pB2ybMVlgWPs_DmbJ8g0om-sPlwyn74Cc1tW3ze-Xptw_2uVdPgWyqfuWAfq6Q

View this v1.0 sample token in jwt.ms.

See Also
What are OIDC ID tokens?

Sample v2.0 ID token

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTEyMjA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5OTUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUzNjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsInRpZCI6IjkxMjIwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIiwiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjVCaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGpZIn0.1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n-55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow39tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC-T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9-ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP-KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw

View this v2.0 sample token in jwt.ms.

Token lifetime

By default, an ID token is valid for one hour - after one hour, the client must acquire a new ID token.

You can adjust the lifetime of an ID token to control how often the client application expires the application session, and how often it requires the user to authenticate again either silently or interactively. For more information, read Configurable token lifetimes.

Validate tokens

To validate an ID token, your client can check whether the token has been tampered with. It can also validate the issuer to ensure that the correct issuer has sent back the token. Because ID tokens are always a JWT token, many libraries exist to validate these tokens - you should use one of these libraries rather than doing it yourself. Only confidential clients should validate ID tokens. For more information, see Secure applications and APIs by validating claims.

Public applications (code running entirely on a device or network you don't control such as a user's browser or their home network) don't benefit from validating the ID token. In this instance, a malicious user can intercept and edit the keys used for validation of the token.

The following JWT claims should be validated in the ID token after validating the signature on the token. Your token validation library may also validate the following claims:

  • Timestamps: the iat, nbf, and exp timestamps should all fall before or after the current time, as appropriate.
  • Audience: the aud claim should match the app ID for your application.
  • Nonce: the nonce claim in the payload must match the nonce parameter passed into the /authorize endpoint during the initial request.

See also

Next steps

  • Review the OpenID Connect flow, which defines the protocols that emit an ID token.
ID tokens in the Microsoft identity platform - Microsoft identity platform (2024)

FAQs

How to get Microsoft ID token? ›

Authorization code flow (interactive) There are two steps to acquire a Microsoft Entra ID access token using the authorization code flow. Request an authorization code, which launches a browser window and asks for Azure user login. The authorization code is returned after the user successfully logs in.

Read On
What are ID tokens? ›

ID tokens are used in token-based authentication to cache user profile information and provide it to a client application, thereby providing better performance and experience.

Discover More Details
What is the difference between Microsoft ID and access token? ›

Third-party applications are intended to understand ID tokens. ID tokens shouldn't be used for authorization purposes. Access tokens are used for authorization. The claims provided by ID tokens can be used for UX inside your application, as keys in a database, and providing access to the client application.

Continue Reading
What is a Microsoft token? ›

The Microsoft identity platform authenticates users and provides security tokens, such as access tokens, refresh tokens, and ID tokens. Security tokens allow a client application to access protected resources on a resource server.

See Details
How do I retrieve my ID token? ›

Get an ID token
  1. Get an ID token from the metadata server.
  2. Use a connecting service to generate an ID token.
  3. Generate an ID token by impersonating a service account.
  4. Generate a generic ID token for development with Cloud Run and Cloud Functions.

Find Out More
Where is token ID? ›

Token ID can be found in the Preferences page on the API tokens tab below the name which you have defined during the token creation process (see token creation docs).

Tell Me More
Where is the ID token stored? ›

The id token can be safely sent to the browser or client and stored in a relatively insecure location, such as localstorage. The id token should never be used to access protected data, but instead is for displaying information about a user such as their name.

Show Me More
Are ID tokens signed? ›

The ID Token is an encoded and signed JSON Web Token (JWT). The JWT format is specified in RFC7519 . A JSON Web Token is a compact and URL-safe way of passing a JSON message between two parties.

Explore More
Should I store ID token? ›

We recommend against storing ID tokens. If you must do so, ensure that you clear the tokens when users log out or delete accounts. In contrast to traditional web apps, single-page applications (SPAs) require client-side API calls to process user interactions.

Continue Reading
Should I use access or ID token? ›

They can both be encoded as JWT, but the content and purpose are also different. An ID token contains the identity information about the authenticated users, and it is intended to be consumed by the front-end application. On the other hand, an access token represents a ticket with permission to consume an API.

Show Me More

What is the Microsoft Identity Platform? ›

The Microsoft identity platform is a cloud identity service that allows you to build applications your users and customers can sign in to using their Microsoft identities or social accounts. It authorizes access to your own APIs or Microsoft APIs like Microsoft Graph.

Read The Full Story
How do I create a Microsoft access token? ›

Authentication and authorization steps
  1. Register the app with Microsoft Entra ID.
  2. Configure Microsoft Graph application permissions on the app.
  3. Request administrator consent.
  4. Request an access token.
  5. Call Microsoft Graph using the access token.
Jan 31, 2024

See Details
What is an ID token? ›

An ID token contains information about what happened when a user authenticated, and is intended to be read by the OAuth client. The ID token may also contain information about the user such as their name or email address, although that is not a requirement of an ID token.

Get More Info Here
How to get token using Microsoft Identity client? ›

In this article
  1. Get a token for the web API by using the token cache. To get this token, you call the Microsoft Authentication Library (MSAL) AcquireTokenSilent method (or the equivalent in Microsoft. Identity. Web).
  2. Call the protected API, passing the access token to it as a parameter.
Oct 23, 2023

Continue Reading
What is token and why it is used? ›

Tokens add a barrier to prevent hackers: A 2FA barrier to prevent hackers from accessing user data and corporate resources. Using passwords alone makes it easier for hackers to intercept user accounts, but with tokens, users can verify their identity through physical tokens and smartphone applications.

View More
How do I get Microsoft authenticator token? ›

To set up the Microsoft Authenticator app
  1. Sign in to your work or school account and then go to your My Account portal.
  2. Select Security info in the left menu or by using the link in the Security info pane. ...
  3. On the Add a method page, select Authenticator app from the list, and then select Add.

View Details
How to get office 365 access token? ›

Create an access token to use in any process activity or form control in a specified app.
  1. Click App Builder.
  2. In the Application Explorer, on the My Apps pane, click [App Name] > Shared Resources > Access Tokens.
  3. Click New.
  4. On the New Access Token screen, select Microsoft 365.

See More
How do I get a user token? ›

Get Access Tokens
  1. To request an access token , make a POST call to the token URL.
  2. When a user authenticates, you request an access token and include the target audience and scope of access in your request. ...
  3. In only one specific instance, access tokens can have multiple target audiences.

Learn More
Top Articles
Prices
Explore Edinburgh on a budget in 48 hours
Truist Bank Near Here
Angela Babicz Leak
The Atlanta Constitution from Atlanta, Georgia
Top Scorers Transfermarkt
Gabriel Kuhn Y Daniel Perry Video
Kent And Pelczar Obituaries
Remnant Graveyard Elf
Wordscape 5832
Immediate Action Pathfinder
What to do if your rotary tiller won't start – Oleomac
Regal Stone Pokemon Gaia
Lenscrafters Huebner Oaks
The Murdoch succession drama kicks off this week. Here's everything you need to know
Char-Em Isd
Gdlauncher Downloading Game Files Loop
"Une héroïne" : les funérailles de Rebecca Cheptegei, athlète olympique immolée par son compagnon | TF1 INFO
Dtab Customs
Prestige Home Designs By American Furniture Galleries
The Exorcist: Believer (2023) Showtimes
Marvon McCray Update: Did He Pass Away Or Is He Still Alive?
De beste uitvaartdiensten die goede rituele diensten aanbieden voor de laatste rituelen
Joan M. Wallace - Baker Swan Funeral Home
Azur Lane High Efficiency Combat Logistics Plan
Seeking Arrangements Boston
Play It Again Sports Norman Photos
Danielle Ranslow Obituary
Barista Breast Expansion
Phantom Fireworks Of Delaware Watergap Photos
Random Bibleizer
Watertown Ford Quick Lane
UCLA Study Abroad | International Education Office
Umn Biology
Viduthalai Movie Download
Package Store Open Near Me Open Now
Ff14 Sage Stat Priority
Vistatech Quadcopter Drone With Camera Reviews
Pch Sunken Treasures
Craigslist Gigs Norfolk
In Branch Chase Atm Near Me
Lichen - 1.17.0 - Gemsbok! Antler Windchimes! Shoji Screens!
Maybe Meant To Be Chapter 43
The Complete Guide To The Infamous "imskirby Incident"
Enjoy4Fun Uno
Poe Self Chill
St Vrain Schoology
Mcoc Black Panther
Walmart Listings Near Me
Sam's Club Fountain Valley Gas Prices
Game Akin To Bingo Nyt
Latest Posts
Roaming Profiles Clarification
My Top 26 Stocks to Buy Now in May
Article information

Author: Allyn Kozey

Last Updated:

Views: 5552

Rating: 4.2 / 5 (63 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Allyn Kozey

Birthday: 1993-12-21

Address: Suite 454 40343 Larson Union, Port Melia, TX 16164

Phone: +2456904400762

Job: Investor Administrator

Hobby: Sketching, Puzzles, Pet, Mountaineering, Skydiving, Dowsing, Sports

Introduction: My name is Allyn Kozey, I am a outstanding, colorful, adventurous, encouraging, zealous, tender, helpful person who loves writing and wants to share my knowledge and understanding with you.