The (webid-oidc oidc-id-token) module contains a definition for the OIDC ID token.
The ID token is issued by an identity provider, and is intended to be used by the client only. It gives information about the user identified by a webid, an URI from (web uri), and the client ID, aud, an URI too. Since the client should not communicate this token, it is reasonable to think that the client will deccode the token as soon as it gets it, and then forget the now useless signature. This is why this token is considered single-use. The sub field should store a username as a string, but if it is missing, the webid (as a string) will be used.
To construct an ID token, you would either need
#:jwt-payload, as for any
token, or a combination of parameters:
#:signing-key, to initialize a JWT;
#:validity, because it is issued for a limited time window (around an hour);
#:nonceto define its identifier (defaults to a random one);
#:iss, the issuer URI, because it is an OIDC token;
#:webid, an URI identifying the user;
#:sub, a string that defaults to the webid;
#:aud, an URI identifying the application.
Return the user identifier in token, as an URI.
Return the username in token, as a string.
Return the client identifier in token, as an URI.
This exception is raised when the ID token is invalid.
Construct an exception of type
Check whether exception was raised because of an invalid ID token.