They are security tokens that contain information about a user’s identity and authentication status and rely on OpenID Connect (OIDC), a free authentication standard. ID tokens are relevant in single sign-on (SSO) authentication procedures such as OAuth 2.0 and assure that a user’s identity is legitimate throughout the authentication operations.
...
Provides info about user to the RP (Relying Party)
Proves user’s authentication by the IDP (Identity Provider)
Enables SSO
Implements authorization policies based on user’s attributes or roles
Reduces network latency and bandwidth by avoiding unnecessary calls to the IDP
Enhances security and privacy (minimizing exposure of sensitive user data)
...
First, the user requests access to a resource from the web browser. The browser redirects the user to the IDP for authentication.
The IDP then returns a consent page for the user to grant permission. Once the user does that, the web browser requests IDP to issue an ID token. Subsequently, the browser passes the ID Token received from IDP to the web application.
Finally, the web application uses the ID token to obtain information about the user requesting the resource from the resource server.
| Tip |
|---|
An ID token includes user information (such as username and email address) and information about the authentication event (the time, method, and authentication scope). In addition to verifying identity, an ID token can verify a user’s access rights and is used as a bearer token in the authorization header of an HTTP request. |