ID token claims
An ID token is a JSON Web Token (JWT) containing cryptographically signed claims about a user’s profile information. This is issued by Scalekit after successful authentication. The ID token is a Base64-encoded JSON object with three parts: header, payload, and signature.
Here’s an example of the payload. Note this is formatted for readability and the header and signature fields are skipped.
{ "iss": "https://yoursaas.scalekit.com", "azp": "skc_12205605011849527", "aud": ["skc_12205605011849527"], "amr": ["conn_17576372041941092"], "sub": "conn_17576372041941092;google-oauth2|104630259163176101050", "at_hash": "HK6E_P6Dh8Y93mRNtsDB1Q", "c_hash": "HK6E_P6Dh8Y93mRNtsDB1Q", "iat": 1353601026, "exp": 1353604926, "name": "John Doe", "given_name": "John", "family_name": "Doe", "picture": "https://lh3.googleusercontent.com/a/ACg8ocKNE4TZj2kyLOj094kie_gDlUyU7JCZtbaiEma17URCEf=s96-c", "locale": "en", "email": "john.doe@acmecorp.com", "email_verified": true}
Full list of ID token claims
Section titled “Full list of ID token claims”Claim | Presence | Description |
---|---|---|
aud | Always | Intended audience (client ID) |
amr | Always | Authentication method reference values |
exp | Always | Expiration time (Unix timestamp) |
iat | Always | Issuance time (Unix timestamp) |
iss | Always | Issuer identifier (Scalekit environment URL) |
oid | Always | Organization ID of the user |
sub | Always | Subject identifier for the user |
at_hash | Always | Access token hash |
c_hash | Always | Authorization code hash |
azp | Always | Authorized presenter (usually same as aud ) |
email | Always | User’s email address |
email_verified | Optional | Email verification status |
name | Optional | User’s full name |
family_name | Optional | User’s surname or last name |
given_name | Optional | User’s given name or first name |
locale | Optional | User’s locale (BCP 47 language tag) |
picture | Optional | URL of user’s profile picture |
Verifying the ID token
Section titled “Verifying the ID token”In some cases, you may need to parse the ID token manually—for example, to access custom claims that are not part of the standard User
object in the SDK method. These details are encoded in the ID token as JSON Web Token (JWT).
To verify the signature, you need to:
- Fetch the public signing keys from the JSON Web Key Set (JWKS) endpoint.
- Use a JWT library for your language to decode and verify the token using the keys.
The JWKS endpoint for your environment is located at:
https://<YOUR_ENVIRONMENT_URL>/keys
For example, if your Scalekit Environment URL is https://your-environment.scalekit.com
, the keys can be found at https://your-environment.scalekit.com/keys
.
Important claims
Section titled “Important claims”When validating, pay special attention to these claims:
iss
(Issuer): This must match your Scalekit environment URL.aud
(Audience): This must match your application’s client ID.exp
(Expiration Time): Ensure the token has not expired.sub
(Subject): This uniquely identifies the user, often combining theconnection_id
and the identity provider’s unique user ID.amr
: Contains theconnection_id
used for authentication.
This structure provides a neutral, factual reference for ID token claims in Scalekit, organized according to the data structure itself.
An ID token is nothing but a cryptographically signed Base64-encoded JSON object containing a set of name/value pairs about the user’s profile information. Essentially, it is a JWT token. Ideally, it is advised that you validate an ID token before you use it, but since you are communicating directly with Scalekit over an intermediary-free HTTPS channel and using your client secret to exchange the code
for the ID token, you can be confident that the token you receive really comes from Scalekit and is valid.
If you are using our Scalekit SDK to exchange the code for the ID token, the work of decoding the base64url-encoded values and parsing the JSON within, validating the JWT and accessing the claims within the ID token is automatically taken care of.