What are OIDC ID tokens? (2024)

Table of Contents
What ID Token Is ID Token vs Access Token ID Token Structure Enable ID tokens in Cloudentity Configure Response Types Configure Scopes Configure TTL ID Token Encryption How It Works Validate an ID Token FAQs

What ID Token Is

The ID token is the key concept inOpenID Connect (OIDC). OIDC is asimple identity layer built on top of OAuth 2.0 that provides authentication and identity assertion.

The ID token is a security token that includes claims regarding the authentication of the user by theauthorization server with the use ofan OAuth client application. The ID token may also include other requested claims. It is created on theauthorization server’s side to encode the user’s authentication information. Unlike access tokensintended to be consumed by the resource server, ID tokens are intended to be consumed by thethird-party application.

ID tokens are for storing user data and delivering it to the client application. Since the clientapplication receives the ID token only after the user gets authenticated, the ID token becomes aproof of the user’s identity to the client. Also,since the ID token can carry basic profile information on the user, it can serve as a source ofuser data that the client can use for different purposes (for example, to enhance the userexperience).

ID Token vs Access Token

The OIDC flow returns not only the ID token but also the access token to ensure compatibility withOAuth and support identity authorization scenarios. The ID token is for the client’sconsumption and can be passed around its different components as the representation of thesuccessful authentication and the store of user’s profile information. Yet, it should not be usedto access APIs. For requesting the access to protected resources, you still need to useaccess tokens. Unlike the ID token, the access token is not intended to carry the user data (exceptfor ID passed as the sub claim) but to transit authorization information, such as scopesdetermining actions allowed to be taken by the client on the API. Access tokens are foraccess protected API resources and ID tokens should not used for API access.

ID Token Structure

Typically, the ID token uses the JSON format and takes the form of JSON Web Token(JWT). Its JSONpayload is signed with the private key of the issuer (Cloudentity) and can beverified by the client.

The ID token includes defined property names that constitute the information on the user to be consumed by theclient. Required property names are as follows:

  • Authorization server’s identifier (iss)
  • User’s identifier (sub)
  • Client’s identifier (aud)
  • Expiration time of the ID token (exp)
  • Time at which JWT was issued (iat)

Sample ID Token

{ "acr": "1", "aid": "default", "amr": [ "pwd" ], "aud": "default-demo", "auth_time": 1631696786, "email": "", "email_verified": false, "exp": 1631700395, "iat": 1631696795, "idp": "default", "iss": "https://cloudentity-user.authz.cloudentity.io/cloudentity-user/default", "jti": "261e658f-b40a-42f5-9e98-3eb022dfccac", "name": "John Doe", "nbf": 1631696795, "nonce": "c50rf23o825ulrjk38qg", "rat": 1631696795, "scp": [ "email", "openid", "profile" ], "st": "public", "sub": "user", "tid": "cloudentity-user"}

Enable ID tokens in Cloudentity

If you want to receive ID tokens, you need to configure your application settings accordingly.See the video for the guidelines on how to enable the id_token response type and the openidscope for your application. Alternatively, check the instructions in Configure responsetypes and Configure scopes.

See Also
ID Tokens vs Access Tokens: What’s the Difference? - TCM Security

Configure Response Types

To enable the id_token response type, take the following steps:

  1. In Cloudentity, navigate to the workspace where your application can be accessed forconfiguration. Select the application and go to its OAuth view.

  2. Navigate to Response Types and add id_token from the drop-down list. Save the changes.

Configure Scopes

To be able to receive ID tokens, your client needs to have the openid scope enabled. With the openidscope enabled, your client application is returned both ID token and access token.

To enable the openid scope, the the following steps:

  1. In Cloudentity, navigate to the workspace where your application can be accessed forconfiguration. Select the application and go to its Scopes view.

  2. Select the Profile service to expand the list of available scopes and select the openidtoggle.

Configure TTL

TTL specifies how long a particular ID token is valid and how long it can be used by the clientapplication.

In Cloudentity, there are TTLs for ID tokens predefined per workspace(authorization server).You can modify them by entering a particular workspace and navigating to Auth Server >Tokens > TTL > ID token TTL.

ID Token Encryption

  1. In the workspace navigate to Auth Settings > Tokens > Signing and encryption.Under Encryption settings turn on ID TOKEN ENCRYPTION by toggling the switch.

  2. Then in the client application in Cloudentity, add the JSON Web Key to theJSON Web Key Set.

  3. Under ID Token key encryption algorithm set the correct algorithm for encrypting the key.

  4. Under ID Token content encryption algorithm set the algorithm for content encryption.

How It Works

The client application requests the authorization from Cloudentity. Next, the userneeds to authenticate with their IDP. Only then Cloudentity can respond with the user’sidentity context in the form of the ID token.

The diagram illustrates how to obtain the ID token along the authorization process using the Cloudentity hybrid flow.

sequenceDiagram participant User participant Client application participant Cloudentity tenant participant API activate User User->>Client application: Access activate Client application Client application->>Cloudentity tenant: Request authorization activate Cloudentity tenant deactivate Client application Cloudentity tenant->>User:Display consent User->>Cloudentity tenant: Authenticate deactivate User Cloudentity tenant->>Client application: Issue authorization code and one or more parameters activate Client application Client application->>Cloudentity tenant: Request token note right of Client application: scope = openid & response_type = ID token Cloudentity tenant->>Cloudentity tenant: Verify the authorization code Cloudentity tenant->>Client application: Return token deactivate Cloudentity tenant

Validate an ID Token

The ID token is a signed JWT, that is, JWS. It is signed using the server’s private JWK.Optionally, it can be both signed and encrypted. Since each ID token is an encoded and signed JWT,its validation needs to start with decoding all its three parts with base64url decode.

After decoding the token parts, you need to verify the following:

  • Signature: Check if the signing algorithm indicated in the alg header parameter is as expectedand verify the signature with the public key.
  • Standard claims: After decoding the payload, verify if it contains relevant claims with expected values.
What are OIDC ID tokens? (2024)

FAQs

What is an OIDC ID token? ›

OIDC is a simple identity layer built on top of OAuth 2.0 that provides authentication and identity assertion. The ID token is a security token that includes claims regarding the authentication of the user by the authorization server with the use of an OAuth client application.

Read On
What should an ID token contain? ›

An ID token contains information about what happened when a user authenticated, and is intended to be read by the OAuth client. The ID token may also contain information about the user such as their name or email address, although that is not a requirement of an ID token.

Discover More Details
What is the ID token issued for? ›

ID tokens are a type of security token that serves as proof of authentication, confirming that a user is successfully authenticated. Information in ID tokens enables the client to verify that a user is who they claim to be, similar to name tags at a conference.

Continue Reading
What is the difference between access tokens and ID tokens? ›

Unlike access tokens, which are opaque objects that cannot be inspected by the application, ID tokens are meant to be inspected and used by the application.

See Details
What are token ids? ›

Token ID puts issuers in control of payment tokenization, enabling them to build and manage their tokenization capabilities in the cloud or on-premise and deliver enriched payment options for cardholders.

Find Out More
Where is the OIDC token stored? ›

After the user authenticates with the OIDC provider, the access, ID, and refresh tokens are stored in the BFF.

Tell Me More
What are claims in an ID token? ›

Beyond what is required for JWT , ID tokens also contain claims asserted about the authenticated user, which are pre-defined by the OpenID Connect (OIDC) protocol, and are thus known as standard OIDC claims. Some standard OIDC claims include: name. nickname.

Show Me More
How do I get a token in OpenID Connect? ›

It can get a token by using an OIDC client filter before propagating it. It can get a token by using a programmatically created OIDC client and propagate it by passing it to a REST client method as an HTTP Authorization header value. It can use an OIDC token propagation filter to propagate the incoming access token.

Explore More
Why not use ID token for authorization? ›

If your API accepts an ID token as an authorization token, to begin with, you are ignoring the intended recipient stated by the audience claim. That claim says that it is meant for your client application, not for the resource server (i.e., the API).

Continue Reading
What are the different types of OpenID tokens? ›

This topic presents an overview of the two types of tokens in OpenID Connect: ID tokens and access tokens. These tokens can be used to gain access to users' information and to protected resources on behalf of the users.

Show Me More

Where should I store ID token? ›

We recommend storing tokens on the server, as this offers traditional web apps the maximum level of security. If this cannot be done, you should use encrypted session cookies so the client cannot read token values.

Read The Full Story
What is the ID token in OpenID Connect? ›

ID tokens are a standardized feature of OpenID Connect designed for use in sharing identity assertions on the Internet. The most commonly used approaches for authenticating a user and obtaining an ID token are called the "server" flow and the "implicit" flow.

See Details
Is the ID token secret? ›

ID tokens are private to the client and should never be sent to APIs. Access tokens are also received by clients, who treat them as opaque strings and send them as message credentials when calling APIs.

Get More Info Here
What should an access token contain? ›

An access token is a tiny piece of code that contains a large amount of data. Information about the user, permissions, groups, and timeframes is embedded within one token that passes from a server to a user's device. Plenty of websites use access tokens.

Continue Reading
What is the id_token in Okta? ›

The ID token is a security token granted by the OpenID provider that contains information about an end user. This information tells your client app that the user is authenticated, and can also give you information like their username or location. You can pass an ID token to different components of your client.

View More
What is OIDC and how does it work? ›

OpenID Connect (OIDC) is an identity authentication protocol that is an extension of open authorization (OAuth) 2.0 to standardize the process for authenticating and authorizing users when they sign in to access digital services. OIDC provides authentication, which means verifying that users are who they say they are.

View Details
What is the difference between refresh token and ID token? ›

Refresh token is a long-lived special kind of token used to obtain a renewed access token. ID token carries identity information encoded in the token itself, which must be a JWT. It must not contain any authorization information or any audience information — it is merely an identifier for the user.

See More
Top Articles
What is Massive MIMO? | Wireless Future Blog
Use the 4A model to check the effectiveness of your strategic planning framework
Toa Guide Osrs
DPhil Research - List of thesis titles
Food King El Paso Ads
Bashas Elearning
Weeminuche Smoke Signal
CLI Book 3: Cisco Secure Firewall ASA VPN CLI Configuration Guide, 9.22 - General VPN Parameters [Cisco Secure Firewall ASA]
T Mobile Rival Crossword Clue
³µ¿Â«»ÍÀÇ Ã¢½ÃÀÚ À̸¸±¸ ¸íÀÎ, ¹Ì±¹ Ķ¸®Æ÷´Ï¾Æ ÁøÃâ - ¿ù°£ÆÄ¿öÄÚ¸®¾Æ
Craigslist Vermillion South Dakota
Cinepacks.store
Overzicht reviews voor 2Cheap.nl
What Was D-Day Weegy
Deshret's Spirit
123 Movies Babylon
Call Follower Osrs
Job Shop Hearthside Schedule
Peraton Sso
Available Training - Acadis® Portal
Byte Delta Dental
Music Go Round Music Store
Program Logistics and Property Manager - Baghdad, Iraq
Bethel Eportal
UMvC3 OTT: Welcome to 2013!
Skycurve Replacement Mat
950 Sqft 2 BHK Villa for sale in Devi Redhills Sirinium | Red Hills, Chennai | Property ID - 15334774
Home Auctions - Real Estate Auctions
Miss America Voy Board
Gina's Pizza Port Charlotte Fl
Pnc Bank Routing Number Cincinnati
Forager How-to Get Archaeology Items - Dino Egg, Anchor, Fossil, Frozen Relic, Frozen Squid, Kapala, Lava Eel, and More!
1987 Monte Carlo Ss For Sale Craigslist
Beaver Saddle Ark
Sitting Human Silhouette Demonologist
Strange World Showtimes Near Atlas Cinemas Great Lakes Stadium 16
Studio 22 Nashville Review
Stafford Rotoworld
Best Restaurant In Glendale Az
Tiny Pains When Giving Blood Nyt Crossword
Saybyebugs At Walmart
Sam's Club Gas Prices Florence Sc
California Craigslist Cars For Sale By Owner
Stranahan Theater Dress Code
Wordle Feb 27 Mashable
M&T Bank
Deshuesadero El Pulpo
Diamond Desires Nyc
Used Curio Cabinets For Sale Near Me
Obituary Roger Schaefer Update 2020
The Ultimate Guide To 5 Movierulz. Com: Exploring The World Of Online Movies
Latest Posts
The 8 Best Potatoes for Roasting
What is FinNifty in Stock Market? | Finschool
Article information

Author: Pres. Lawanda Wiegand

Last Updated:

Views: 5568

Rating: 4 / 5 (71 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Pres. Lawanda Wiegand

Birthday: 1993-01-10

Address: Suite 391 6963 Ullrich Shore, Bellefort, WI 01350-7893

Phone: +6806610432415

Job: Dynamic Manufacturing Assistant

Hobby: amateur radio, Taekwondo, Wood carving, Parkour, Skateboarding, Running, Rafting

Introduction: My name is Pres. Lawanda Wiegand, I am a inquisitive, helpful, glamorous, cheerful, open, clever, innocent person who loves writing and wants to share my knowledge and understanding with you.