Page created: 10 Oct 2020
|
Page updated: 10 Oct 2020
The next step is to parse the id_token, and validate the contents. Note, that as the id_token was received via the user agent, rather than directly from the token endpoint, the verification of the digital signature is required to detect any tampering with the id_token. Firstly, decode both the header and payload components of the JWT:
Component | Value | Value Decoded |
---|---|---|
Header | eyJhbGciOiJSUzI1NiIsImtpZCI6IjRvaXU4In0 |
|
Payload | eyJzdWIiOiJuZnlmZSIsImF1ZCI6ImltX29pY19 jbGllbnQiLCJqdGkiOiJUOU4xUklkRkVzUE45en U3ZWw2eng2IiwiaXNzIjoiaHR0cHM6XC9cL3Nzb y5tZXljbG91ZC5uZXQ6OTAzMSIsImlhdCI6MTM5 MzczNzA3MSwiZXhwIjoxMzkzNzM3MzcxLCJub25 jZSI6ImNiYTU2NjY2LTRiMTItNDU2YS04NDA3LT NkMzAyM2ZhMTAwMiIsImF0X2hhc2giOiJrdHFvZ VBhc2praVY5b2Z0X3o5NnJBIn0 |
|
Now we follow the guidelines in the OpenID Connect specifications (Core specification section 3.1.3.7 also taking into consideration section 3.2.2.11) for ID Token Validation:
Step # | Test Summary | Result |
---|---|---|
1 | Decrypt the token (if encrypted) | Token not encrypted, skip test |
2 | Verify the issuer claim (iss) matches the OP issuer value | Valid |
3 | Verify the audience claim (aud) contains the OAuth2 client_id | Valid |
4 | If the token contain multiple audiences, then verify that an Authorized Party claim (azp) is present | Only one audience, skip test |
5 | If the azp claim is present, verify it matches the OAuth2 client_id | Not present, skip test |
6,7,8 | Optionally verify the digital signature (required for implicit client profile) (see section 4.4) | Verify signature as per "ID Token" section |
9 | Verify the current time is prior to the expiry claim (exp) time value | Valid |
10 | Client specific: Verify the token was issued within an acceptable timeframe (iat) | Valid |
11 | If the nonce claim (nonce) is present, verify that it matches the nonce passed in the authentication request | Nonce matches, Valid |
12 | Client specific: Verify the Authn Context Reference claim (acr) value is appropriate | No acr value present, skip test |
13 | Client specific: If the authentication time claim (auth_time) present, verify it is within an acceptable range | No auth_time present, skip test |
14 | If the implicit client profile is used, verify that the access token hash claim (at_hash) matches the hash of the associated access_token | Validate at_hash as per "ID_Token" section |
The results of the ID token validation are sufficient to trust the id_token and the user can be considered "authenticated".