The ID tokens minted by the Identity Provider will be JSON Web Tokens (JWTs). They will be sent from the IdP back to the shell, which will propagate it to the mongod in a SASL step. In transit, the JWT will be represented in the compact serialization form, which appears as follows:

Base64URLEncoded(Header).Base64URLEncoded(Payload).Base64URLEncoded(Signature).

The server should define IDL types to represent the JWTHeader and JWTPayload that get parsed after decoding the Base64URLEncoded strings. The JWTHeader type is expected to have the typ, alg, and kid fields. The JWTPayload type is expected to have the iss, aud, iat, and exp fields.

A unit test should be written that verifies that valid JWT Compact Serializations are parsed into these structures. The unit test should also validate that required fields are not omitted.

Futher details are available here.