How should i validate Id token

trashmi13 · 24 Nov 2021, 13:51

So far we are doing POC on fusionAuth so that our organization can decide to go with fusionAuth or not.

Everything looks promising so far but somehow I couldn't find anything related to OpenId token verification.

I am looking for something like the code snippet so that we can verify/validate Id token . Can you please suggest where I can get some reference code to do the ID token validation.

Sample code
// The required parameters
Issuer iss = new Issuer("https://idp.c2id.com");
ClientID clientID = new ClientID("123");
JWSAlgorithm jwsAlg = JWSAlgorithm.RS256;
URL jwkSetURL = new URL("https://idp.c2id.com/jwks.json");

// Create validator for signed ID tokens
IDTokenValidator validator = new IDTokenValidator(iss, clientID, jwsAlg, jwkSetURL);

dan · 24 Nov 2021, 16:38

@trashmi13

Hiya. You can validate this token using any JWT library, as Id Tokens are valid JSON Web Tokens.

I'm not sure what language you are using, but here's an example for java using the fusionauth-jwt library:

    List<JSONWebKey> keys = JSONWebKeySetHelper.retrieveKeysFromJWKS("https://www.googleapis.com/oauth2/v3/certs");
    
     Map<String, Verifier> publicKeyVerifiers = new HashMap<String,Verifier>();
     for (JSONWebKey key : keys) {
        String publicKey = key.x5c.get(0); 
        Verifier verifier = RSAVerifier.newVerifier(publicKey); // assuming all keys are RSA. You could switch on type as well.
        String kid = key.kid;
        publicKeyVerifiers.put(kid, verifier);
     }
     
     // Verify and decode the encoded string JWT to a rich object
     JWT jwt2 = JWT.getDecoder().decode(encodedJWT, publicKeyVerifiers);
     
     // make sure the aud and issuer are as expected
     if (jwt2.audience.equals("gge44ab3-027f-47c5-bb07-8dd8ab37a2d3") && jwt2.issuer.equals("www.acme.com") && (jwt.expiration.toEpochSecond() > (System.currentTimeMillis()/1000) )) {
    	 // valid id token
     }

Hope this helps.