Inclusion Relation among JWS, JWE, JWT, ID Token and Access Token

Takahiko Kawasaki

2 min readSep 10, 2021

--

Inclusion Relation JWS, JWE, JWT and ID Token

Both JWS (JSON Web Signature) and JWE (JSON Web Encryption) have two methods of serialization; “JSON” and “Compact”.
JWT (JSON Web Token) is either JWS or JWE. In either case, its serialization is “Compact” because the specification defines so.
By definition, ID Token is signed. Therefore, its format is either “JWS” or “JWE including JWS”.
ID Token never takes the form of “JWS including JWE”. It’s because when ID Token is encrypted, the order must be “signed then encrypted” as the specification requires so.

Inclusion Relation among Access Token, JWT and ID Token

Access Token is not always a JWT.
ID Token is always a JWT by definition.
Even if ID Token is used for access control, ID Token is not called Access Token.

References

[spec] RFC 7515 JSON Web Signature (JWS)
[spec] RFC 7516 JSON Web Encryption (JWE)
[spec] RFC 7519 JSON Web Token (JWT)
[spec] OpenID Connect Core 1.0, 2. ID Token
[blog] Understanding ID Token
[blog] OAuth Access Token Implementation

Written by Takahiko Kawasaki

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997. https://www.authlete.com/

No responses yet

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams