Inclusion Relation among JWS, JWE, JWT, ID Token and Access Token
- Both JWS (JSON Web Signature) and JWE (JSON Web Encryption) have two methods of serialization; “JSON” and “Compact”.
- JWT (JSON Web Token) is either JWS or JWE. In either case, its serialization is “Compact” because the specification defines so.
- By definition, ID Token is signed. Therefore, its format is either “JWS” or “JWE including JWS”.
- ID Token never takes the form of “JWS including JWE”. It’s because when ID Token is encrypted, the order must be “signed then encrypted” as the specification requires so.
- Access Token is not always a JWT.
- ID Token is always a JWT by definition.
- Even if ID Token is used for access control, ID Token is not called Access Token.