The next step is to parse the id_token, and validate the contents. Note, that as the id_token was received via a direct call to the token endpoint, the verification of the digital signature is optional.

Firstly, decode both the header and payload components of the JWT:

Component Value Value Decoded
Header eyJhbGciOiJSUzI1NiIsImtpZCI6IjRvaXU4In0 { "alg":"RS256", "kid":"4oiu8" }
Payload eyJzdWIiOiJuZnlmZSIsImF1ZCI6ImFjX29pY19 jbGllbnQiLCJqdGkiOiJIR1AwdnlxbmgwOVBjQ3 MzenBHbUVsIiwiaXNzIjoiaHR0cHM6XC9cL3Nzb y5tZXljbG91ZC5uZXQ6OTAzMSIsImlhdCI6MTM5 MzczMDM4MCwiZXhwIjoxMzkzNzMwNjgwfQ { "sub":"nfyfe", "aud":"ac_oic_client", "jti":"HGP0vyqnh09PcCs3zpGmEl", "iss":"https:\/\/localhost:9031", "iat":1393730380, "exp":1393730680 }

Now we follow the guidelines in the OpenID Connect specifications (Core specification section for ID Token Validation (see 4.3 for details on validating the id_token)

Step # Test Summary Result
1 Decrypt the token (if encrypted) Token not encrypted, skip test
2 Verify the issuer claim (iss) matches the OP issuer value Valid
3 Verify the audience claim (aud) contains the OAuth2 client_id Valid
4 If the token contain multiple audiences, then verify that an Authorized Party claim (azp) is present Only one audience, skip test
5 If the azp claim is present, verify it matches the OAuth2 client_id Not present, skip test
6,7,8 Optionally verify the digital signature (required for implicit client profile) (see section 4.4) TLS security sufficient, skip test
9 Verify the current time is prior to the expiry claim (exp) time value Valid
10 Client specific: Verify the token was issued within an acceptable timeframe (iat) Valid
11 If the nonce claim (nonce) is present, verify that it matches the nonce passed in the authentication request Nonce was not sent in initial request, skip test
12 Client specific: Verify the Authn Context Reference claim (acr) value is appropriate No acr value present, skip test
13 Client specific: If the authentication time claim (auth_time) present, verify it is within an acceptable range No auth_time present, skip test
14 If the implicit client profile is used, verify that the access token hash claim (at_hash) matches the hash of the associated access_token Not an implicit profile, skip test

The results of the ID token validation are sufficient to trust the id_token and the user can be considered "authenticated".