Anss Amin
Thank you for writing this, you’ve presented a lot of information in a pretty concise manner.
Micah
My pleasure!
YurkshireLad
Thanks, this is the best explanation I’ve seen yet.
Ohad Cohen
Hi,
What is “sub” property?
is it possible to get the user image?
phiipl
Hi!
What should the client do once the id token is expired? I would assume the refresh token could be used to get an id_token again, however as written in the article it seems that the refresh token is only used to get more access tokens, not id tokens.
phiipl
The “sub” claim is the Subject Identifier.
sub REQUIRED. Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client, e.g., 24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It MUST NOT exceed 255 ASCII characters in length. The sub value is a case sensitive string.
A list of id token claims is available here: https://openid.net/specs/op…
Igor Khomenko
did you get an answer for this?
Guy Tucker
Micah - This has been really helpful to me and my colleagues as we join the world of OIDC authentication. Thank you for taking the time to put this primer together, and keeping it simple enough for people like me to grasp. Good work!
mohmmad ibrahim
Hi - Does Sub identifier is encoded , reason for asking is if get a header value in plain text that x-amz-oidc-token im getting an email value but if i get the x-amz-oidc-data(jwt token) getting a gibberish value, what is the difference?
For example below.
x-amzn-oidc-accesstoken
The access token from the token endpoint, in plain text sub: "xxxxxx4hqxWCkbuw60x7.
x-amzn-oidc-data
The user claims, in JSON web tokens (JWT) format.
sub : 7888111@email.com