Tools, FAQ, Tutorials:
What Is the Authentication Claim in id_token
What is the authentication claim in an id_token?
✍: FYIcenter.com
The authentication claim is the information carried in the id_token body component. OpenID Connect 1.0 specification defines the following primary properties on the authentication claim:
"iss" - Required. Identifies the "Issuer" of this authentication, in the form of a case sensitive URL string with no query or fragment components. Basically, "iss" identifies the source used by the service provider to authenticate this user.
For example, if you receive iss="https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/" in an id_token, you know that this user is authenticated by the Microsoft Active Directory: b9411234-09af-49c2-b0c3-653adc1f376e.
"sub" - Required. Identifies the "Subject" of this authentication. Basically, "sub" is the unique identifier given by the service provide to identify this user.
For example, if you receive sub="yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI" in an id_token, you can store this string in your database as a reference ID for this user. This is better than using user's email address in your database, because it not a personal information.
"aud" - Required. Identifies the "Audience" of this authentication. Basically, "aud" is the unique identifier for application that requested this authentication. "aud" is the same as the "client_id" of OAuth 2.0 protocol.
For example, if you receive aud="http://dev.fyicenter.com" in an id_token, you know that this authentication is issued for your application.
"exp" - Required. Identifies the "Expiration" time of this authentication, in the form of the number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
For example, if you receive exp=1416972488, in an id_token, you should throw it away after 1970-01-01T0:0:0Z plus 1416972488 seconds.
"iat" - Required. Identifies the "Issued At" time of this authentication in the form of the number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
For example, if you receive exp=1416968588, in an id_token, you know that it was issued at 1970-01-01T0:0:0Z plus 1416968588 seconds.
"nonce" - Conditional. The same "nonce" value included in the authentication request. Basically, "nonce" is an random string you include in the request and validate it when you received it back in the response. You should throw it away immediately after the validation to prevent replay attacks.
Here is example of "id_token" after splitting and Base64URL decoding:
Header = { "alg": "HS256", "typ": "JWT" } Body = { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } Signature = 0x 49f94ac7044948c78a285d904f87f0a4c7897f7e8f3a4eb2255fda750b2cc397
By the way, Base64URL encoding is same as Base64 encoding except for 2 encoding characters: "_" is used instead of "/", and "-" is used instead of "+". This is to make the encoded string URL safe.
2022-05-31, 1080🔥, 0💬
Popular Posts:
How to view API details on the Publisher Dashboard of an Azure API Management Service? You can follo...
How to add request body examples to my Azure API operation to make it more user friendly? If you hav...
Where to find tutorials on EPUB file format? I want to know how to create EPUB books. Here is a larg...
How to build a PHP script to dump Azure AD 2.0 Authentication Response? If you are use the Azure-AD-...
Where to find tutorials on Using Azure API Management Publisher Dashboard? Here is a list of tutoria...