What does the OpenID Connect ID Token (JWT) regex match?

Matches an OIDC ID token — same structure as JWT (sec-api-02) but with semantic context.

Is the OpenID Connect ID Token (JWT) regex ReDoS-safe?

Yes. Verified through static analysis: no ambiguous alternations or nested quantifiers that could trigger exponential backtracking.

How do I use this regex in python?

import re pattern = re.compile(r'^([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]*)$') is_valid = bool(pattern.match(input_str))

Security/OAuth & OIDC

Verified Safe

OpenID Connect ID Token (JWT) Regex for Python

/^([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]*)$/

What this pattern does

This page provides a well-structured, multi-part regular expression for matching openid connect id token (jwt), ported and verified for Python. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your Python project — whether you're validating in a Django view, a FastAPI endpoint, or a standalone data processing script.

Python Implementation

Python

# OpenID Connect ID Token (JWT)
# ReDoS-safe | RegexVault — Security > OAuth & OIDC

import re

openid_connect_id_token_jwt_pattern = re.compile(r'^([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]*)$')

def validate_openid_connect_id_token_jwt(value: str) -> bool:
    return bool(openid_connect_id_token_jwt_pattern.fullmatch(value))

# Example
print(validate_openid_connect_id_token_jwt("eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIiwiYXVkIjoiY2xpZW50XzEifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"))  # True

Test Cases

Matches (Valid)	Rejects (Invalid)
`eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIiwiYXVkIjoiY2xpZW50XzEifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c`	`not.a.jwt.at.all.here`
—	`two.parts`

When to use this pattern

This pattern is drawn from the Security > OAuth & OIDC category and carries a ReDoS-safe certification. That matters for Python developers because particularly important in Python web servers where CPU-bound regex operations can stall concurrent request handling. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

The most dangerous OIDC mistake is failing to validate the audience (aud) claim — an ID token issued for App A must not be accepted by App B. Validate aud strictly against your client_id.

Technical Notes

OIDC ID tokens are JWTs with specific required claims: iss (issuer), sub (subject), aud (audience), exp (expiry), iat (issued at). Always validate: 1) signature, 2) iss matches expected provider, 3) aud matches client_id, 4) exp is in the future, 5) nonce (if used). Never trust an ID token without validation.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern