Tools, FAQ, Tutorials:
What Is the Authentication Claim in id_token
What is the authentication claim in an id_token?
✍: FYIcenter.com
The authentication claim is the information carried in the id_token body component. OpenID Connect 1.0 specification defines the following primary properties on the authentication claim:
"iss" - Required. Identifies the "Issuer" of this authentication, in the form of a case sensitive URL string with no query or fragment components. Basically, "iss" identifies the source used by the service provider to authenticate this user.
For example, if you receive iss="https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/" in an id_token, you know that this user is authenticated by the Microsoft Active Directory: b9411234-09af-49c2-b0c3-653adc1f376e.
"sub" - Required. Identifies the "Subject" of this authentication. Basically, "sub" is the unique identifier given by the service provide to identify this user.
For example, if you receive sub="yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI" in an id_token, you can store this string in your database as a reference ID for this user. This is better than using user's email address in your database, because it not a personal information.
"aud" - Required. Identifies the "Audience" of this authentication. Basically, "aud" is the unique identifier for application that requested this authentication. "aud" is the same as the "client_id" of OAuth 2.0 protocol.
For example, if you receive aud="http://dev.fyicenter.com" in an id_token, you know that this authentication is issued for your application.
"exp" - Required. Identifies the "Expiration" time of this authentication, in the form of the number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
For example, if you receive exp=1416972488, in an id_token, you should throw it away after 1970-01-01T0:0:0Z plus 1416972488 seconds.
"iat" - Required. Identifies the "Issued At" time of this authentication in the form of the number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
For example, if you receive exp=1416968588, in an id_token, you know that it was issued at 1970-01-01T0:0:0Z plus 1416968588 seconds.
"nonce" - Conditional. The same "nonce" value included in the authentication request. Basically, "nonce" is an random string you include in the request and validate it when you received it back in the response. You should throw it away immediately after the validation to prevent replay attacks.
Here is example of "id_token" after splitting and Base64URL decoding:
Header = { "alg": "HS256", "typ": "JWT" } Body = { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } Signature = 0x 49f94ac7044948c78a285d904f87f0a4c7897f7e8f3a4eb2255fda750b2cc397
By the way, Base64URL encoding is same as Base64 encoding except for 2 encoding characters: "_" is used instead of "/", and "-" is used instead of "+". This is to make the encoded string URL safe.
2022-05-31, 1187🔥, 0💬
Popular Posts:
What validation keywords I can use in JSON Schema to specifically validate JSON Array values? The cu...
How to add request URL Template Parameters to my Azure API operation 2017 version to make it more us...
How To Copy Array Values to a List of Variables in PHP? If you want copy all values of an array to a...
What Is session_register() in PHP? session_register() is old function that registers global variable...
How To Break a File Path Name into Parts in PHP? If you have a file name, and want to get different ...