What Is the Authentication Claim in id_token

Q

What is the authentication claim in an id_token?

✍: FYIcenter.com

A

The authentication claim is the information carried in the id_token body component. OpenID Connect 1.0 specification defines the following primary properties on the authentication claim:

"iss" - Required. Identifies the "Issuer" of this authentication, in the form of a case sensitive URL string with no query or fragment components. Basically, "iss" identifies the source used by the service provider to authenticate this user.

For example, if you receive iss="https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/" in an id_token, you know that this user is authenticated by the Microsoft Active Directory: b9411234-09af-49c2-b0c3-653adc1f376e.

"sub" - Required. Identifies the "Subject" of this authentication. Basically, "sub" is the unique identifier given by the service provide to identify this user.

For example, if you receive sub="yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI" in an id_token, you can store this string in your database as a reference ID for this user. This is better than using user's email address in your database, because it not a personal information.

"aud" - Required. Identifies the "Audience" of this authentication. Basically, "aud" is the unique identifier for application that requested this authentication. "aud" is the same as the "client_id" of OAuth 2.0 protocol.

For example, if you receive aud="http://dev.fyicenter.com" in an id_token, you know that this authentication is issued for your application.

"exp" - Required. Identifies the "Expiration" time of this authentication, in the form of the number of seconds from 1970-01-01T0:0:0Z as measured in UTC.

For example, if you receive exp=1416972488, in an id_token, you should throw it away after 1970-01-01T0:0:0Z plus 1416972488 seconds.

"iat" - Required. Identifies the "Issued At" time of this authentication in the form of the number of seconds from 1970-01-01T0:0:0Z as measured in UTC.

For example, if you receive exp=1416968588, in an id_token, you know that it was issued at 1970-01-01T0:0:0Z plus 1416968588 seconds.

"nonce" - Conditional. The same "nonce" value included in the authentication request. Basically, "nonce" is an random string you include in the request and validate it when you received it back in the response. You should throw it away immediately after the validation to prevent replay attacks.

Here is example of "id_token" after splitting and Base64URL decoding:

Header =
{
  "alg": "HS256",
  "typ": "JWT"
}

Body = 
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature = 0x
49f94ac7044948c78a285d904f87f0a4c7897f7e8f3a4eb2255fda750b2cc397

By the way, Base64URL encoding is same as Base64 encoding except for 2 encoding characters: "_" is used instead of "/", and "-" is used instead of "+". This is to make the encoded string URL safe.

 

id_token Online Decode Tool

What Is id_token

OpenID Connect Authentication Flows

⇑⇑ OpenID Tutorials

2019-01-15, 439👍, 0💬