The second component contains the payload which contains claims relating to the authentication and identification of the user. The payload of the above example is decoded as follows:

Component Value Value Decoded
JWT Payload eyJzdWIiOiJqb2UiLCJhdWQiOiJpbV9vaWN fY2xpZW50IiwianRpIjoidWY5MFNLNHdzY0 ZoY3RVVDZEdHZiMiIsImlzcyI6Imh0dHBzO lwvXC9sb2NhbGhvc3Q6OTAzMSIsImlhdCI6 MTM5NDA2MDg1MywiZXhwIjoxMzk0MDYxMTU zLCJub25jZSI6ImU5NTdmZmJhLTlhNzgtNG VhOS04ZWNhLWFlOGM0ZWY5Yzg1NiIsImF0X 2hhc2giOiJ3Zmd2bUU5VnhqQXVkc2w5bGM2 VHFBIn0 { "sub":"joe", "aud":"im_oic_client", "jti":"uf90SK4wscFhctUT6Dtvb2", "iss":"https:\/\/localhost:9031", "iat":1394060853, "exp":1394061153, "nonce":"e957ffba-9a78-4ea9-8eca-ae8c4ef9c856", "at_hash":"wfgvmE9VxjAudsl9lc6TqA" }

The following claims you can expect in an id_token and can use to determine if the authentication by the user was sufficient to grant them access to the application. (Refer to the OpenID Connect specifications to additional details on these attributes):

Claim Description
iss Issuer of the id_token
sub Subject of the id_token (ie the end-user's username)
aud Audience for the id_token (must match the client_id of the application)
exp Time the id_token is set to expire (UTC, Unix Epoch time)
iat Timestamp when the id_token was issued (UTC, Unix Epoch time)
auth_time Time the end-user authenticated (UTC, Unix Epoch time)
nonce Nonce value supplied during the authentication request (REQUIRED for implicit flow)
acr Authentication context reference used to authenticate the user
acr Authentication context reference used to authenticate the user
at_hash Hash of the OAuth2 access token when used with Implicit profile
c_hash Hash of the OAuth2 authorization code when used with the hybrid profile