The next step is to parse the id_token, and validate the contents. Note, that as the id_token was received via the user agent, rather than directly from the token endpoint, the verification of the digital signature is required to detect any tampering with the id_token. Firstly, decode both the header and payload components of the JWT:

Component Value Value Decoded
Header eyJhbGciOiJSUzI1NiIsImtpZCI6IjRvaXU4In0

Payload eyJzdWIiOiJuZnlmZSIsImF1ZCI6ImltX29pY19 jbGllbnQiLCJqdGkiOiJUOU4xUklkRkVzUE45en U3ZWw2eng2IiwiaXNzIjoiaHR0cHM6XC9cL3Nzb y5tZXljbG91ZC5uZXQ6OTAzMSIsImlhdCI6MTM5 MzczNzA3MSwiZXhwIjoxMzkzNzM3MzcxLCJub25 jZSI6ImNiYTU2NjY2LTRiMTItNDU2YS04NDA3LT NkMzAyM2ZhMTAwMiIsImF0X2hhc2giOiJrdHFvZ VBhc2praVY5b2Z0X3o5NnJBIn0


Now we follow the guidelines in the OpenID Connect specifications (Core specification section also taking into consideration section for ID Token Validation:

Step # Test Summary Result
1 Decrypt the token (if encrypted) Token not encrypted, skip test
2 Verify the issuer claim (iss) matches the OP issuer value Valid
3 Verify the audience claim (aud) contains the OAuth2 client_id Valid
4 If the token contain multiple audiences, then verify that an Authorized Party claim (azp) is present Only one audience, skip test
5 If the azp claim is present, verify it matches the OAuth2 client_id Not present, skip test
6,7,8 Optionally verify the digital signature (required for implicit client profile) (see section 4.4) Verify signature as per "ID Token" section
9 Verify the current time is prior to the expiry claim (exp) time value Valid
10 Client specific: Verify the token was issued within an acceptable timeframe (iat) Valid
11 If the nonce claim (nonce) is present, verify that it matches the nonce passed in the authentication request Nonce matches, Valid
12 Client specific: Verify the Authn Context Reference claim (acr) value is appropriate No acr value present, skip test
13 Client specific: If the authentication time claim (auth_time) present, verify it is within an acceptable range No auth_time present, skip test
14 If the implicit client profile is used, verify that the access token hash claim (at_hash) matches the hash of the associated access_token Validate at_hash as per "ID_Token" section

The results of the ID token validation are sufficient to trust the id_token and the user can be considered "authenticated".