Skip to content
IAM Day by Day

ID Tokens

Cryptographic Proof of Identity

Section titled “Cryptographic Proof of Identity”

An ID Token is a signed JSON Web Token (JWT) that serves as the definitive proof of a user’s identity and their authentication event. Unlike an Access Token (which is for APIs), the ID Token is designed to be consumed by the Client Application to understand who is logged in.

ID TOKEN

Identity Artifact
Core Mission
Identity Assertion. Safely conveying user identity and authentication context from the Identity Provider to the Client Application.
Like a Driver's License: It's a single, compact artifact containing your photo (claims), your info, and a government watermark (digital signature) that proves it's authentic.
User Sign-In / Personalization / Security Validation

The Anatomy of an ID Token (JWT)

Section titled “The Anatomy of an ID Token (JWT)”

Every ID Token is composed of three Base64URL encoded parts, separated by dots.

1

The Header

Contains the metadata about the token, including the algorithm (`RS256`) and the key ID (`kid`) used to sign it.

2

The Payload (Claims)

The core data: `sub` (user ID), `iss` (issuer), `aud` (client ID), and `exp` (expiration). This describes the Who and When.

3

The Signature

The cryptographic proof. Created using the IdP's private key, it ensures the token hasn't been tampered with.

Validation Checklist

Section titled “Validation Checklist”

Your application MUST validate every ID Token before trusting its contents.

CheckActionWhy?
SignatureVerify with IdP Public KeyEnsures the token is authentic and untampered.
Issuer (iss)Match against trusted IdP URLConfirms the token came from the expected source.
Audience (aud)Match against your Client IDPrevents a token issued to another app from being used in yours.
Expiration (exp)Ensure current time < expProtects against the use of leaked, old tokens.
Nonce (nonce)Match against request-time valueSpecifically prevents token replay attacks.

Implementation: Manual Token Validation (Node.js)

Section titled “Implementation: Manual Token Validation (Node.js)”

While libraries are recommended, understanding the verification logic is critical for security engineering.

const jwt = require('jsonwebtoken');
const jwksClient = require('jwks-rsa');


const client = jwksClient({ jwksUri: 'https://auth.company.com/.well-known/jwks.json' });


function getKey(header, callback) {
  client.getSigningKey(header.kid, (err, key) => {
    callback(null, key.publicKey || key.rsaPublicKey);
  });
}


jwt.verify(idToken, getKey, {
  issuer: 'https://auth.company.com/',
  audience: 'your-client-id',
  algorithms: ['RS256']
}, (err, decoded) => {
  if (err) throw new Error('Identity Validation Failed');
  console.log('User Identity Verified:', decoded.sub);
});

Technical Deep-Dives

Section titled “Technical Deep-Dives”

Explore how identity is extended and managed within the OIDC framework.

Standard Claims

Understanding the profile, email, and address scopes.

JWT Debugger

Visual tools for decoding and inspecting OIDC tokens.
EOF < /dev/null