Reputation: 135
Which of an OAuth 2.0 provider's JWKs should be used to verify an OpenID Connect `id_token`?
If an authentication server supplies multiple JSON Web Keys (e.g. https://www.googleapis.com/oauth2/v3/certs) which should be used to verify an OpenID Connect id_token as part of the OPenID Connect Implicit Flow?
Should the id_token be verified with the first JSON Web Key, all of the JSON Web Keys, or is the id_token considered valid if it can be verified with any of these provided JSON Web Keys?
Thanks!
Upvotes: 0
Views: 715
Answers (1)
Reputation: 54088
When there are multiple keys in play that the OpenID Connect provider could use to sign an id_token, the header of the id_token would typically contain a key identifier (in the kid element) of the key that is actually used. That corresponds to the kid element in the JWK published on the (jwks_uri) endpoint that you describe. So the id_token would only be valid if it can be verified using the key that is associated with the kid in the header.
Upvotes: 1
Related Questions
- What is the purpose of the implicit grant authorization type in OAuth 2?
- Keycloak OpenID Connect and OAuth 2.0 custom authenticator to support multiple Username & Passwords
- When would I use a Hybrid flow with response_type=code id_token token in OpenID Connect?
- Do OpenID Connect id_token and access_token need to be validated if they are obtained by web server?
- Google OpenID Connect: How to verify id_token?
- What OpenID Connect adds to OAuth 2.0 (why is OAuth 2.0 not sufficient for authentication?)
- Exchange an OAuth2 access token (or OpenID Connect id_token) for a WS-* SAML token?
- Is OpenId Connect response_type id_token supported by WSO2 Identity Server 5.0