Page created: 30 Sep 2020
|
Page updated: 30 Sep 2020
The ID token represents an authenticated user's session. As such the token must be validate before an application can trust the contents of the ID token. For example, if a malicious attacker replayed a user's id_token that they had captured earlier the application should detect that the token has been replayed or was used after it had expired and deny the authentication.
Refer to the OpenID Connect specifications for more information on security concerns. The specifications also include guidelines for validating an ID token (Core specification section 3.1.3.7). The general process would be as follows:
| Step # | Test Summary |
|---|---|
| 1 | Decrypt the token (if encrypted) |
| 2 | Verify the issuer claim (iss) matches the OP issuer value |
| 3 | Verify the audience claim (aud) contains the OAuth2 client_id |
| 4 | If the token contain multiple audiences, then verify that an Authorized Party claim (azp) is present |
| 5 | If the azp claim is present, verify it matches the OAuth2 client_id |
| 6, 7 & 8 | Optionally verify the digital signature (required for implicit client profile) (see section 4.4) |
| 9 | Verify the current time is prior to the expiry claim (exp) time value |
| 10 | Client specific: Verify the token was issued within an acceptable timeframe (iat) |
| 11 | If the nonce claim (nonce) is present, verify that it matches the nonce passed in the authentication request |
| 12 | Client specific: Verify the Authn Context Reference claim (acr) value is appropriate |
| 13 | Client specific: If the authentication time claim (auth_time) present, verify it is within an acceptable range |
| 14 | If the implicit client profile is used, verify that the access token hash claim (at_hash) matches the hash of the associated access_token |