ID token can be encrypted

[meikestone]

[Enter feedback here] "They're commonly used to display account information or to make access control decisions in an application. ID tokens are signed, but they're not encrypted."

That's wrong! An ID Token can be encrypted, please read the OIDC Specs (https://openid.net/specs/openid-connect-core-1_0.html)

Kindly regards!

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: b05bb7df-98fc-1342-640d-02063f6d8a11
• Version Independent ID: f6ac357f-f846-83c5-f19f-91e1bc0954e3
• Content: Overview of tokens - Azure Active Directory B2C
• Content Source: articles/active-directory-b2c/tokens-overview.md
• Service: active-directory
• Sub-service: b2c
• GitHub Login: @kengaderdus
• Microsoft Alias: kengaderdus

[Naveenommi-MSFT]

@meikestone Thanks for your feedback! We will investigate and update as appropriate.

[ManoharLakkoju-MSFT]

@meikestone Thanks for bringing this to our attention. I'm going to assign this to the document author so they can take a look at it accordingly

[ManoharLakkoju-MSFT]

@kengaderdus Can you please check and add your comments on this doc update request as applicable.

[kengaderdus]

@meikestone

Thank you for your feedback.

It's true that ID tokens can be encrypted, but by default, the ID token returned by Azure AD B2C is signed and not encrypted. We'll update our documentation to make this clear. #please-close