ID Token - Signature Validation | WSO2 Identity Server
Summary
OpenID Connect is a decentralized authentication protocol and an open standard. It is a simple identity layer on top of the OAuth2 protocol. It facilitates clients to verify End-User identity through the authentication performed by an authorization server. OpenID Connect also allows client applications to obtain the End-User profile information through claims in a REST-like manner.
In this article, I am going to show you two ways to validate ID tokens with the WSO2 identity server public key. You can go through the documentation if you like to know more about how to configure an OpenID Connect application in the wso2 identity server.
ID Tokens
- Unsigned ID token: If the token is not signed it only contains two portions. They are separated by “.”.
<header>.<body>Eg :
eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0- Signed ID token: signed id token contains three portions separated by “.”.
<header>.<body>.<signature>Eg :
eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0.iTf0eDBF-6-OlJwBNxCK3nqTUjwC71-KpqXVr21tlIQq4_ncoPODQxuxfzIEwl3Ko_Mkt030zJs-d36J4UCxVSU21hlMOscNbuVIgdnyWhVYzh_-v2SZGfye9GxAhKOWL-_xoZQCRF9fZ1j3dWleRqIcPBFHVeFseD_64PNemygWhen you register a service provider in WSO2 identity server, you can choose either Default or JWT as token issuer. The procedure for signature validation can be done in same way for both options.(In both ways it will return ID token)
Signature Validation
As I am using java for this, I am going to use the following library for this.
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>4.22</version>
</dependency>You can extract the ID token like below.
So first, I will look into validating the signature with the public key of the identity server that stores in a Keystore.
For this, I have already set up the Keystore and added the public key certificate of the identity server.
- First, we need to retrieve the public key certificate from Keystore(using the stored alias).
- Then retrieve the WSO2- IS public key from the certificate.
- Verify and validate ID token.
You can pass the previously extracted ID token to this function as SignedJWT.
As I mentioned earlier, we can also get public key information using the json-web-key-set-endpoint(JWKS) endpoint to validate the ID tokens.
- First, get the public key information using from the JWKS endpoint.
- Compare header kid value and JWKS response kid value.
3. Retrieve “n” (modulus) and “e”(exponent) attributes from the JWKS response.
3. Extract the public key using the modules and exponent values.
4. Validate token with JWSVerifier. You can use different verifiers to do this depend on the algorithm used in the JWKS endpoint information.
Other than validating ID token signature, we can also validate standard claims that in the token body. For example below claims can be validated.
+-----------+--------------------+-------------------------------+
| Claim | Description | Comment |
+-----------+--------------------+-------------------------------+
| iss | Issuer |Identifier for the creator of the| | | |token. |
| sub | Subject |Identifier for the authenticated| | | |user. |
| aud | Audience |Expected recipient(s). Must | | | |contain some identifier for | | | |client. |
| iat | Issued At | When the ID Token was issued. |
+-----------+--------------------+-------------------------------+Hope you have got some idea about how we can validate ID tokens. Thank you for reading the article.
