Page created: 10 Oct 2020
|
Page updated: 10 Oct 2020
The next step is to parse the id_token, and validate the contents. Note, that as the id_token was received via a direct call to the token endpoint, the verification of the digital signature is optional.
Firstly, decode both the header and payload components of the JWT:
Component | Value | Value Decoded |
---|---|---|
Header | eyJhbGciOiJSUzI1NiIsImtpZCI6IjRvaXU4In0 | { "alg":"RS256", "kid":"4oiu8" } |
Payload | eyJzdWIiOiJuZnlmZSIsImF1ZCI6ImFjX29pY19 jbGllbnQiLCJqdGkiOiJIR1AwdnlxbmgwOVBjQ3 MzenBHbUVsIiwiaXNzIjoiaHR0cHM6XC9cL3Nzb y5tZXljbG91ZC5uZXQ6OTAzMSIsImlhdCI6MTM5 MzczMDM4MCwiZXhwIjoxMzkzNzMwNjgwfQ | { "sub":"nfyfe", "aud":"ac_oic_client", "jti":"HGP0vyqnh09PcCs3zpGmEl", "iss":"https:\/\/localhost:9031", "iat":1393730380, "exp":1393730680 } |
Now we follow the guidelines in the OpenID Connect specifications (Core specification section 3.1.3.7) for ID Token Validation (see 4.3 for details on validating the id_token)
Step # | Test Summary | Result |
---|---|---|
1 | Decrypt the token (if encrypted) | Token not encrypted, skip test |
2 | Verify the issuer claim (iss) matches the OP issuer value | Valid |
3 | Verify the audience claim (aud) contains the OAuth2 client_id | Valid |
4 | If the token contain multiple audiences, then verify that an Authorized Party claim (azp) is present | Only one audience, skip test |
5 | If the azp claim is present, verify it matches the OAuth2 client_id | Not present, skip test |
6,7,8 | Optionally verify the digital signature (required for implicit client profile) (see section 4.4) | TLS security sufficient, skip test |
9 | Verify the current time is prior to the expiry claim (exp) time value | Valid |
10 | Client specific: Verify the token was issued within an acceptable timeframe (iat) | Valid |
11 | If the nonce claim (nonce) is present, verify that it matches the nonce passed in the authentication request | Nonce was not sent in initial request, skip test |
12 | Client specific: Verify the Authn Context Reference claim (acr) value is appropriate | No acr value present, skip test |
13 | Client specific: If the authentication time claim (auth_time) present, verify it is within an acceptable range | No auth_time present, skip test |
14 | If the implicit client profile is used, verify that the access token hash claim (at_hash) matches the hash of the associated access_token | Not an implicit profile, skip test |
The results of the ID token validation are sufficient to trust the id_token and the user can be considered "authenticated".