Reputation: 1067
Verification of ID tokens on client side
I'm working on implementing OAuth 2.0 to a stack of apps I have to reduce the required login credentials. However I am struggeling in understanding the OpenID Connect on top of OAuth 2.0 and how I am supposed to verify the JWT token given. Should the public key be supplied inside the actual token so that the client can check the signature?
Also, correct me if I'm wrong, but I believe this token is never sent to the resource server, but acts as a "helping hand" for the client to serve correct output to the user based on information given in the token? If so, is there a set of standards on what type of information each JWT should contain?
Upvotes: 1
Views: 323
Answers (1)
Reputation: 11036
A Identity Token is sent following a Successful Token Response which is typically a JWT.
The ID Token validation is described within Section 3.1.3.7. ID Token Validation.
For ID tokens secured with the RSA or EC signature (e.g. RS256), you need the IdP’s public JSON Web Key (JWK) set. It is published as a simple JSON document at an URL which is also advertised in the OpenID Provider’s metadata] in the jwks_uri parameter. You can check out Google’s JSON Web Key (JWK) to see what such as JWK set looks like.
For ID tokens secured with an HMAC (e.g. HS256) you use the client_secret to perform the validation.
Upvotes: 2
Related Questions
- Verify token ID and access token with PHP
- Verify Oauth2 authorization token to see if issued for specific client
- How can an OpenID Connect (OIDC) ID Token be validated through a JavaScript library?
- What do I verify within a client bearer token?
- OpenID Connect - Token Validation on client without call identity provider (IdP)
- Google OpenID Connect: How to verify id_token?
- ID token or /userinfo for Identity assertion
- Validating Tokens Issued by AspNet.Security.OpenIdConnect.Server (ASP.NET vNext)
- OAuth2 Token Validation and confidential clients
- Is it possible to determine verify the client_id with an access_token