Overview
OIDC Introduction
OIDC (OpenID Connect) builds an identity layer on top of OAuth2 and is an identity authentication standard protocol based on the OAuth2 protocol. It enables clients to verify the identity of end users based on the authorization server's verification. OAuth2.0 provides authorization, i.e., the process of verifying whether there is permission to access something. OIDC provides authentication, i.e., the process of verifying identity.
OAuth2 uses access tokens to authorize third-party applications to access protected information. OIDC follows the OAuth2 protocol flow and, on this basis, provides id_token to solve the user identity authentication problem for third-party applications. OIDC provides third-party applications with user identity authentication information in the form of id_token. id_token is encapsulated based on JWT (JSON Web Token), featuring self-containment, compactness, and tamper resistance. After verifying the correctness of the id_token, the third-party application can further read more user information through the access token obtained by the OAuth2 authorization flow. To understand id_token, let's first look at what JWT is.
JWT Introduction
What is JWT
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way to securely transmit information as a JSON object between parties. Because this information is digitally signed, it can be verified and trusted. JWT can be signed and encrypted using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
A digitally signed JWT can guarantee the non-repudiation, authentication, and integrity of id_token, but it cannot guarantee confidentiality, so it is not recommended to include sensitive data with confidentiality requirements in id_token.
JWT Structure
A JSON Web Token consists of three parts separated by dots (.): Header.Payload.Signature.
What is ID Token
An ID Token is a security token, a JWT containing specific claims. Specific claims refer to information generated by the authentication server for the client when verifying the end user, such as issuer (iss), end-user identifier (sub), client id (aud), expiration time (exp), token issuance time (iat), etc. Additional claims may also be included. The ID Token is issued by the authentication server (OP) and verified by the client (RP). It looks like this:

Main Components of ID Token
The ID Token mainly contains the following required claims. Custom claims can also be added according to the application mapping configuration.
iss = Issuer Identifier: Required. The unique identifier of the party providing authentication information. Fixed as: https://{your_domain}/api/v1/oauth2.
jti = JWT ID: Required. The unique identifier of the token, which can be used to prevent token reuse.
sub = Subject Identifier: Required. The account name of the application. The identifier of the EU provided by iss, unique within the scope of iss. It is used by the RP to identify a unique user. Maximum of 255 ASCII characters.
aud = Audience(s): Required. Identifies the audience of the ID Token. The clientid assigned to the third-party application after access is approved.
exp = Expiration time: Required. Expiration time. The ID Token will be invalid and not verified after this time.
iat = Issued At Time: Required. The time when the JWT was built.
nbf = Not Before: Required. The initial generation time of the JWT. The ID Token is not verified before this time.
Terminology
BambooCloud IDaaS unified authentication center: i.e., the authorization server, hereinafter referred to as BambooCloud IDaaS.
User center: BambooCloud IDaaS provides enterprise users with a centralized portal to access third-party applications.
EU: End User: a human user.
RP: Relying Party, refers to the trusted client in OIDC, the consumer of identity authentication and authorization information.
OP: OpenID Provider, a service capable of providing EU authentication (such as the authorization service in OIDC), used to provide the RP with EU identity authentication information.
UserInfo Endpoint: user information endpoint (protected by OIDC). When the RP accesses with an Access Token, it returns authorized user information. This endpoint must use HTTPS.
ID Token: data in JWT format, containing EU identity authentication information.