ID Token

An ID token is a security token defined by OpenID Connect. It is a signed JSON Web Token (JWT) that the authorization server issues to the client application after the user authenticates. The token contains claims that describe who the user is and how and when the authentication took place.

Standard claims include a subject identifier, the issuing authority, the audience the token is intended for, and timestamps for issuance and expiration. Additional claims such as email, name, or locale may be included depending on the scopes requested. The client validates the token’s signature, checks the issuer and audience, and confirms the token has not expired before trusting its contents.

Unlike an access token, an ID token is meant to be read by the client, not sent to a resource server. It answers the question “who logged in?” rather than “what can this request do?”

For CIAM, the ID token is the standard way for customer-facing applications to receive verified identity information after login.

Sources

• OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html