Inclusion Relation among JWS, JWE, JWT, ID Token and Access Token

Inclusion Relation JWS, JWE, JWT and ID Token
  • Both JWS (JSON Web Signature) and JWE (JSON Web Encryption) have two methods of serialization; “JSON” and “Compact”.
  • JWT (JSON Web Token) is either JWS or JWE. In either case, its serialization is “Compact” because the specification defines so.
  • By definition, ID Token is signed. Therefore, its format is either “JWS” or “JWE including JWS”.
  • ID Token never takes the form of “JWS including JWE”. It’s because when ID Token is encrypted, the order must be “signed then encrypted” as the specification requires so.
Inclusion Relation among Access Token, JWT and ID Token
  • Access Token is not always a JWT.
  • ID Token is always a JWT by definition.
  • Even if ID Token is used for access control, ID Token is not called Access Token.

References

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997. https://www.authlete.com/