What Is the Authentication Claim in id

What Is the Authentication Claim in id_token

Q

What is the authentication claim in an id_token?

✍: FYIcenter.com

A

The authentication claim is the information carried in the id_token body component. OpenID Connect 1.0 specification defines the following primary properties on the authentication claim:

"iss" - Required. Identifies the "Issuer" of this authentication, in the form of a case sensitive URL string with no query or fragment components. Basically, "iss" identifies the source used by the service provider to authenticate this user.

For example, if you receive iss="https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/" in an id_token, you know that this user is authenticated by the Microsoft Active Directory: b9411234-09af-49c2-b0c3-653adc1f376e.

"sub" - Required. Identifies the "Subject" of this authentication. Basically, "sub" is the unique identifier given by the service provide to identify this user.

For example, if you receive sub="yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI" in an id_token, you can store this string in your database as a reference ID for this user. This is better than using user's email address in your database, because it not a personal information.

"aud" - Required. Identifies the "Audience" of this authentication. Basically, "aud" is the unique identifier for application that requested this authentication. "aud" is the same as the "client_id" of OAuth 2.0 protocol.

For example, if you receive aud="http://dev.fyicenter.com" in an id_token, you know that this authentication is issued for your application.

"exp" - Required. Identifies the "Expiration" time of this authentication, in the form of the number of seconds from 1970-01-01T0:0:0Z as measured in UTC.

For example, if you receive exp=1416972488, in an id_token, you should throw it away after 1970-01-01T0:0:0Z plus 1416972488 seconds.

"iat" - Required. Identifies the "Issued At" time of this authentication in the form of the number of seconds from 1970-01-01T0:0:0Z as measured in UTC.

For example, if you receive exp=1416968588, in an id_token, you know that it was issued at 1970-01-01T0:0:0Z plus 1416968588 seconds.

"nonce" - Conditional. The same "nonce" value included in the authentication request. Basically, "nonce" is an random string you include in the request and validate it when you received it back in the response. You should throw it away immediately after the validation to prevent replay attacks.

Here is example of "id_token" after splitting and Base64URL decoding:

Header =
{
  "alg": "HS256",
  "typ": "JWT"
}

Body = 
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature = 0x
49f94ac7044948c78a285d904f87f0a4c7897f7e8f3a4eb2255fda750b2cc397

By the way, Base64URL encoding is same as Base64 encoding except for 2 encoding characters: "_" is used instead of "/", and "-" is used instead of "+". This is to make the encoded string URL safe.

⇒ id_token Online Decode Tool

⇐ What Is id_token

⇑ OpenID Connect Authentication Flows

⇑⇑ OpenID Tutorials

2022-05-31, 1074🔥, 0💬

id_token Online Decode Tool
Is there any online tool to decode an id_token string? There are several good online tools you can use to decode an id_token string. For example, go to jwt.io . Copy and paste your id_token string in the input box on left, for example: eyJhbGciOiJIUzI1NiIsInR5cCI6Ik pXVCJ9.eyJuYW1lIjoiSm9lIERvZSIsIm... 2021-06-20, 2209🔥, 0💬

Integration with Azure Active Directory
Where to find tutorials on Integration with Azure Active Directory. Here is a list of tutorials to answer many frequently asked questions compiled by FYIcenter.com team on Integration with Azure Active Directory. What Is Azure Active Directory Azure AD, B2B and B2C Get Application ID from Azure AD A... 2021-06-20, 1263🔥, 0💬

OpenID Connect Authentication Flows
Where to find tutorials on OpenID Connect Authentication Flows. Here is a list of tutorials to answer many frequently asked questions compiled by FYIcenter.com team on OpenID Connect Authentication Flows. Components Involved in OpenID Connect Authentication What Are Authentication Flows OpenID Conne... 2019-01-20, 1219🔥, 0💬

Azure AD, B2B and B2C
What are differences between Azure AD, B2B and B2C? Azure AD actually offers 3 different services: Azure AD - Provide authentication services to users in your own organization. Azure AD B2B - Provide authentication services to users in your own organizations and your external partner organizations. ... 2021-06-20, 1207🔥, 0💬

What Is id_token
What is id_token used in OpenID Connect protocol? "id_token" is Base64URL encoded string returned from the authentication service provider after the user successfully finishes the authentication process. "id_token" follows the "RFC 7519 - JWT (JSON Web Token)" to encode authentication information. Y... 2022-05-31, 1201🔥, 0💬

What Are Authentication Flows
What are authentication flows specified in OpenID Connect? OpenID Connect supports 3 authentication data flows: 1. Authorization Code Flow - The Authorization Code Flow is more complex to implement. But it is more secure. In the Authorization Code Flow, only a short authorization code is returned to... 2021-08-11, 1159🔥, 0💬

Components Involved in OpenID Connect Authentication
What are components involved in OpenID Connect authentication flows? There are 4 components involved in a typical OpenID Connect authentication flow: 1. OpenID Provider (OP) - The OpenID Connect authentication service provider, who provides services to authenticate the end user. For example, Microso... 2021-08-11, 1134🔥, 0💬

OpenID Connect Authorization Code Flow
What is the authentication code flow specified in OpenID Connect? The Authorization Code Flow is most secure authentication flow specified in OpenID Connect. Here are the steps of the Authorization Code flow given in the OpenID Connect 1.0 specification: Rely Party prepares an authentication request... 2021-08-11, 1106🔥, 0💬

What Is the Authentication Claim in id_token
What is the authentication claim in an id_token? The authentication claim is the information carried in the id_token body component. OpenID Connect 1.0 specification defines the following primary properties on the authentication claim: "iss" - Required. Identifies the "Issuer" of this authentication... 2022-05-31, 1075🔥, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.