Understanding the OIDC Token

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

OIDC flows are based on OAuth flows. In an OAuth flow, the end-user provides their credentials to the identity provider. The user receives an authorization prompt, in which they allow the delegated app to reuse their login to the identity provider. OAuth then provides the application an Access Token, which authorizes the user to access an app, but does not contain any information about the user. OIDC also uses an authorization prompt to authenticate a user and provide an ID Token. The ID Token is technically a JSON Web Token (JWT), and includes identifiable information about the user, such as their name and email address. The application can use this ID Token to prove users are authenticated.

When a user authenticates to an application through an identity platform using the OIDC protocol, it sends a token to the application. The application validates and uses the token to sign the user in instead of prompting for a username and password.

The OIDC token grants the user permissions and defines the token scope, and takes this one step further by providing the UserInfo Endpoint, which delivers information about the user, leveraging a set of standard scopes, while allowing customization. An OIDC ID Token includes the following basic claims:

ID Token Claim

Description

sub (subject)

Asserts the user’s identity

iss (issuer)

Specifies which authority issued the token 

aud (audience)

Specifies for which client the token was generated

iat (issue time)

Specifies when the token was generated

exp (expiration time)

Specifies when the token is set to expire

auth_time (authentication time)

Specifies when the user was authenticated

acr (authentication encryption)

Specifies the encryption strength used to authenticate the user

The ID Token provides apps with additional user data, which isn’t a part of the authentication process but is used for functional purposes. The ID Token can include names, emails, and more (see the full list of OIDC standard user claims).