Tools, FAQ, Tutorials:
What Is the Authentication Claim in id_token
What is the authentication claim in an id_token?
✍: FYIcenter.com
The authentication claim is the information carried in the id_token body component. OpenID Connect 1.0 specification defines the following primary properties on the authentication claim:
"iss" - Required. Identifies the "Issuer" of this authentication, in the form of a case sensitive URL string with no query or fragment components. Basically, "iss" identifies the source used by the service provider to authenticate this user.
For example, if you receive iss="https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/" in an id_token, you know that this user is authenticated by the Microsoft Active Directory: b9411234-09af-49c2-b0c3-653adc1f376e.
"sub" - Required. Identifies the "Subject" of this authentication. Basically, "sub" is the unique identifier given by the service provide to identify this user.
For example, if you receive sub="yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI" in an id_token, you can store this string in your database as a reference ID for this user. This is better than using user's email address in your database, because it not a personal information.
"aud" - Required. Identifies the "Audience" of this authentication. Basically, "aud" is the unique identifier for application that requested this authentication. "aud" is the same as the "client_id" of OAuth 2.0 protocol.
For example, if you receive aud="http://dev.fyicenter.com" in an id_token, you know that this authentication is issued for your application.
"exp" - Required. Identifies the "Expiration" time of this authentication, in the form of the number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
For example, if you receive exp=1416972488, in an id_token, you should throw it away after 1970-01-01T0:0:0Z plus 1416972488 seconds.
"iat" - Required. Identifies the "Issued At" time of this authentication in the form of the number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
For example, if you receive exp=1416968588, in an id_token, you know that it was issued at 1970-01-01T0:0:0Z plus 1416968588 seconds.
"nonce" - Conditional. The same "nonce" value included in the authentication request. Basically, "nonce" is an random string you include in the request and validate it when you received it back in the response. You should throw it away immediately after the validation to prevent replay attacks.
Here is example of "id_token" after splitting and Base64URL decoding:
Header = { "alg": "HS256", "typ": "JWT" } Body = { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } Signature = 0x 49f94ac7044948c78a285d904f87f0a4c7897f7e8f3a4eb2255fda750b2cc397
By the way, Base64URL encoding is same as Base64 encoding except for 2 encoding characters: "_" is used instead of "/", and "-" is used instead of "+". This is to make the encoded string URL safe.
2022-05-31, 1270🔥, 0💬
Popular Posts:
How to build a test service operation to dump everything from the "context.Request" object in the re...
What is Azure API Management Publisher Dashboard? Azure API Management Publisher Dashboard is an Azu...
How to use the urllib.request.Request object to build more complex HTTP request? The urllib.request....
Where to find tutorials on EPUB file format? I want to know how to create EPUB books. Here is a larg...
How to Build my "sleep" Docker image from the Alpine image? I want the container to sleep for 10 hou...