what is id_token google oauth

Question

I just got the following result when I tried to do oauth2 to googleapi. Only one thing: I couldn't find what is id_token used for in documentation.

{
  "access_token": "xxxx",
  "token_type": "Bearer",
  "expires_in": 3600,
  "id_token": "veryverylongstring",
  "refresh_token": "abcdefg"
}

Answer 1

The id_token is used in OpenID Connect protocol, where the user is authenticated as well as authorized. (There's an important distinction between authentication and authorization.) You will get id_token and access_token.

The id_token value contains the information about the user's authentication. The ID token resembles the concept of an identity card, in a standard JWT format, signed by the OpenID Provider (OIDP). To obtain one, the client needs to send the user to their OIDP with an authentication request.

Features of the ID token:

1. Asserts the identity of the user, called subject in OpenID (sub).
2. Specifies the issuing authority (iss).
3. Is generated for a particular audience, i.e. client (aud).
4. May contain a nonce (nonce).
5. May specify when (auth_time) and how, in terms of strength (acr), the user was authenticated.
6. Has an issue (iat) and expiration time (exp).
7. May include additional requested details about the subject, such as name and email address.
8. Is digitally signed, so it can be verified by the intended recipients. May optionally be encrypted for confidentiality.

The ID token statements, or claims, are packaged in a simple JSON object:

{
  "sub"       : "alice",
  "iss"       : "https://openid.c2id.com",
  "aud"       : "client-12345",
  "nonce"     : "n-0S6_WzA2Mj",
  "auth_time" : 1311280969,
  "acr"       : "c2id.loa.hisec",
  "iat"       : 1311280970,
  "exp"       : 1311281970
}

Answer 2

id_token is a JSON Web Token (JWT). If you decode it, you'll see it contains multiple assertions, including the ID of the user. See this answer for more details.