OIDC ID Token

The ID Token is returned when performing the OIDC Implicit Flow requesting the ID Token. It is requested by passing the response_type=id_token parameter during the auhtorization request.

The ID Tokens contains verified information about your customer. Each token has been digitally signed by Unidy, so can rely on the token content to be correct and not manipulated. This can be useful e.g. if you want to use the token to grant the user access to premium content.

Example

This is an example of an actual ID Token:

eyJ0eXAiOiJKV1QiLCJraWQiOiJEMDZWYVZQVXpfNFU5UjZna3ZYX2k1U0JXTmRVYkNiVmxqSVhxdGtvV0NnIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2RlbW8udW5pZHkuZGUiLCJzdWIiOiI4YjQ5MWYyNy0yNzNlLTQ3NDItYTBiMS04ZWFiNmQzMTgzY2UiLCJhdWQiOiJPc2lPTGdVSnJqRFVZSmtYdXV1a3pGZUx3cVA5OGRzajExeFZZYmQ3MlI4IiwiZXhwIjoxNzIwMzQwMzg4LCJpYXQiOjE3MjAzNDAyNjgsImF1dGhfdGltZSI6MTcyMDMzODYyNiwiZW1haWwiOiJqb2hhbm5lcy5zdHJhbXBlQHVuaWR5LmRlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImdpdmVuX25hbWUiOiJKb2hhbm5lcyIsImZhbWlseV9uYW1lIjoiU3RyYW1wZSIsIm5hbWUiOiJKb2hhbm5lcyBTdHJhbXBlIiwidXBkYXRlZF9hdCI6IjIwMjQtMDctMDcgMTA6MTc6MjMgKzAyMDAiLCJhZGRyZXNzIjp7ImZvcm1hdHRlZCI6IlNwaXRhbGVyc3RyLiAxMFxuMjAwOTVcbkhhbWJ1cmdcbkdlcm1hbnkiLCJzdHJlZXRfYWRkcmVzcyI6IlNwaXRhbGVyc3RyLiAxMCIsImxvY2FsaXR5IjoiSGFtYnVyZyIsInJlZ2lvbiI6IiIsImNvdW50cnkiOiJHZXJtYW55IiwicG9zdGFsX2NvZGUiOiIyMDA5NSIsImFkZHJlc3NfbGluZV8xIjoiU3BpdGFsZXJzdHIuIDEwIiwiYWRkcmVzc19saW5lXzIiOiIiLCJzdHJlZXQiOiJTcGl0YWxlcnN0ci4iLCJob3VzZV9udW1iZXIiOiIxMCIsImNvdW50cnlfY29kZSI6IkRFIiwiY29tcGFueSI6IlVuaWR5IEdtYkgifX0.VkPrHSdejBHtjWSQ0rTNKp1K9xIIWBgyQGiwCEXZlc_DjUribSO50k7Juy1JB13fiYWTvitDAVS6FGp7I4qRa7PomdScwqZF9ibqdAeyDdziUCZuiEhbvNa1YyRM-a8XwlHP77bOYUPb0jgmLZ__5boLPIJGttf-baghODk_nYt3i9BC7NkVPCQd12Sb2m-S6370gQcr1WkhpYKjvI9ncNl9WfEb7UNGHPXZ65BWq2fMzVaWYNM4ncrQyb2EadzdNJE9-VT5Xt2wfN-GTfIIpn8U6Cc69lyu0ruy8YKSMO5eVU4a0AT6DdgIgSyJCPErnEqkFlTMyQCoIAo6zsQ8yA

You can easily read the content by adding the token at https://jwt.io/

The content of the token depends on what information you requested from Unidy during the authorization process (OIDC Details and Parameters ).

This is an example of an actual ID Token payload:

{
  "iss": "https://demo.unidy.de",
  "sub": "8b491f27-273e-4742-a0b1-8eab6d3183ce",
  "aud": "OsiOLgUJrjDUYJkXuuukzFeLwqP98dsj11xVYbd72R8",
  "exp": 1720340388,
  "iat": 1720340268,
  "auth_time": 1720338626,
  "email": "johannes.strampe@unidy.de",
  "email_verified": true,
  "given_name": "Johannes",
  "family_name": "Strampe",
  "name": "Johannes Strampe",
  "updated_at": "2024-07-07 10:17:23 +0200",
  "address": {
    "formatted": "Spitalerstr. 10\n20095\nHamburg\nGermany",
    "street_address": "Spitalerstr. 10",
    "locality": "Hamburg",
    "region": "",
    "country": "Germany",
    "postal_code": "20095",
    "address_line_1": "Spitalerstr. 10",
    "address_line_2": "",
    "street": "Spitalerstr.",
    "house_number": "10",
    "country_code": "DE",
    "company": "Unidy GmbH"
  }
}

The field exp defines the time when the token becomes invalid. The lifespan is 120 seconds.

Verify an ID Token

To verify if the ID Token has been signed correctly, you should use one of the several libraries.

In addition to the ID Token, you need the JWKS or Json Web Key Set to verify the signature. They location can be found in the well known endpoint of you Unidy instance located at https://<YOUR_TENANT>.unidy.de/.well-known/openid-configuration under the key jwks_uri. See this example.