Page created: 30 Sep 2020
|
Page updated: 30 Sep 2020
We now have the modulus (n) and the exponent (e) of the public key. This can be used to create the public key and validate the signature.
In specific client profiles, a specific hash is included in the id_token to use to verify that the associated token was issued along with the id_token. For example, when using the implicit client profile, an at_hash value is included in the id_token that provides a means to verify that the access_token was issued along with the id_token.
The following example uses the id_token above and associated access_token to verify the at_hash id_token claim:
Signing algorithm | RS256 |
at_hash value | wfgvmE9VxjAudsl9lc6TqA |
OAuth 2.0 access_token | dNZX1hEZ9wBCzNL40Upu646bdzQA |
- Hash the octets of the ASCII representation of the access token (using the hash algorithm specified in the JWT header (i.e. for this example, RS256 uses a SHA-256 hash)): SHA256HASH("dNZX1hEZ9wBCzNL40Upu646bdzQA") = c1f82f98 4f55c630 2e76c97d 95ce93a8 9a5d61f7 dc99b9ad 37dc12b3 7231ff9d
- Take the left-most half of the hashed access token and Base64url encode the value. Left-most half: c1f82f98 4f55c630 2e76c97d 95ce93a8 Base64urlencode([0xC1, 0xF8, 0x2F, 0x98, 0x4F, 0x55, 0xC6, 0x30, 0x2E, 0x76, 0xC9, 0x7D, 0x95, 0xCE, 0x93, 0xA8]) = "wfgvmE9VxjAudsl9lc6TqA"
- Compare the at_hash value to the base64 URL encoded left-most half of the access token hash bytes.
at_hash value | wfgvmE9VxjAudsl9lc6TqA |
left-most half value | wfgvmE9VxjAudsl9lc6TqA |
Validation result | VALID |