The ID Token is an IT:AD:OpenId Connect (OIDC) security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims. The ID Token is represented as a a IT:AD:JWT.

The JWT's body is as follows:

  "sub"       : "jsmith",
  "iss"       : "",
  "aud"       : "client-12345",
  "nonce"     : "n-0S6_WzA2Mj",
  "auth_time" : 1311280969,
  "acr"       : "c2id.loa.hisec",
  "iat"       : 1311280970,
  "exp"       : 1311281970,

The keys are for: Subject (sub), Identity ISuer (iis), intended Audience client (aud), issued at (iat) and when it will epire (exp). May optionally contain a nonceand when the authentication took place (auth_time)

As all IT:AD:JWTs, the body is

var jwt = base64Header+"."+base64Body+"."+signatureHash;


The JWT is made of standard claims about the Authentication of the User, and – optionally – other claims:


A id_token allows for:

  • stateless sessions: which better suits scaling than server side storage.
  • passing information to 3rd party services: as the JWT's contents is only encoded, and not encrypted, the claims package can be selectively shared with 3rd party services (eg: logging).
  • token exchange: [TODO].