Closed awb99 closed 4 months ago
The ID token consists of three main parts:
header - Metadata about the token and its cryptographic algorithm payload - Claims about the issuer, the user and user authorization signature - For verification of the integrity of the token The parts are separated with a . period in the encoded token:
alg : The algorithm used when signing the token. This should be a strong enough algorithm. Do not rely on this solely. Libraries should block algorithms such as none to prevent attacks.
The Payload contains the claims for use by the client. When decoding the first thing to look for is the iss issuer field. It shows who issued the token and must be an HTTPS url. This is important for the following reasons:
Only trust tokens from known issuers Use the issuer to find the JWKS endpoint via the OpenID Connect Metadata
"iss": "https://example.curity.io",
To verify the signature you should:
Retrieve the public key by using the x5t or kid parameter. Break off the signature from the message leaving the header.payload encoded Convert the header+payload segment to an ASCII array Base64Url decode the signature Use the decoded signature to validate the header+payload ASCII byte array
kid : The key id. The key is found on the Json Web Key Set (JWKS) endpoint of the issuer.
x5t or x5t#256 : The fingerprint of the certificate to use hashed with SHA1 or SHA256.
Use this Discovery endpoint to configure your application or API to automatically locate the JSON Web Key Set (JWKS) endpoint (jwks_uri), which contains the JWKS used to sign all Auth0-issued JSON Web Tokens (JWTs) signed with the RS256 signing algorithm. The endpoint exists at:
https://{yourDomain}/.well-known/openid-configuration.
When validating a JWT using a JWKS, you will need to:
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
validateJwt(String jwtToken, String jwksUrl)
{:alg :RS256 :jwk-endpoint "https://your/jwk/endpoint"}
https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com