What all these fields mean?

Question

When doing cross platform authentication, you can get an ID token from your Android app using the GoogleApiClient, which you can give to your backend server. The server will then first verify the token using the following url:

https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

If the token is properly signed and the iss and exp claims have the expected values, you will get a HTTP 200 response, where the body contains the JSON-formatted ID token claims. Here's an example response:

{
 "iss": "https://accounts.google.com",
 "sub": "110169484474386276334",
 "azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "email": "[email protected]",
 "at_hash": "X_B3Z3Fi4udZ2mf75RWo3w",
 "email_verified": "true",
 "aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "iat": "1433978353",
 "exp": "1433981953"
}

What does all these fields mean aside from email?

Answer 1

Claims contains a set of name/value pairs

1. iss: The issuer of the token
2. sub: The subject of the token.An identifier for the user, unique among all Google accounts and never reused.
3. azp: The client_id of the authorized presenter.
4. at_hash: Access token hash. Provides validation that the access token is tied to the identity token.
5. email_verified: True if the user's e-mail address has been verified; otherwise false.
6. aud: Identifies the audience that this ID token is intended for. It must be one of the OAuth 2.0 client IDs of your application.
7. iat: The time the ID token was issued, represented in Unix time (integer seconds).
8. exp: The time the ID token expires, represented in Unix time (integer seconds).

See: https://developers.google.com/identity/protocols/OpenIDConnect for more details.