Validate ID tokens¶

The ID token is a security token that is sent by WSO2 Identity Server to the application when a token is requested with OpenID scopes. This ID token contains information about the authenticated user.

Sample ID token

eyJ4NXQiOiJZemM1T1Rnd1pURTNNV1F6TVdFek5ERm1OelZoTTJOaU9UQmxOamN3TlRJNU9HTTBNbVExWWprd1lqZzJNVEl3WldNd056TTRNemcxWkdJeVpEZzNaQSIsImtpZCI6Ill6YzVPVGd3WlRFM01XUXpNV0V6TkRGbU56VmhNMk5pT1RCbE5qY3dOVEk1T0dNME1tUTFZamt3WWpnMk1USXdaV013TnpNNE16ZzFaR0l5WkRnM1pBX1JTMjU2IiwiYWxnIjoiUlMyNTYifQ.eyJpc2siOiIzYzdlNDIyZGFkNTk1MDc3ZTAyYTYzNjRjYzViN2M5YTE2NzFkNzhmYWQ1MmZmZTVlNmE0MzcwOTRiNGNhOWZmIiwiYXRfaGFzaCI6IklVdEVuNHRLQWlzVWVXRDhIWGZwRXciLCJhdWQiOiJXc29xOHQ0bkhXODBnU25QZnlEdlJiaUNfX0VhIiwiY19oYXNoIjoic3ZicjU1SEVIUGo3emt3Z2VuSkgxUSIsInN1YiI6IkFsaWNhQGJpZnJvc3QuY29tIiwibmJmIjoxNjI5OTY4MzQ0LCJhenAiOiJXc29xOHQ0bkhXODBnU25QZnlEdlJiaUNfX0VhIiwiYW1yIjpbIkJhc2ljQXV0aGVudGljYXRvciJdLCJpc3MiOiJodHRwczpcL1wvYXBpLmFzZ2FyZGVvLmlvXC90XC9iaWZyb3N0XC9vYXV0aDJcL3Rva2VuIiwiZXhwIjoxNjI5OTcxOTQ0LCJpYXQiOjE2Mjk5NjgzNDQsInNpZCI6ImY3OGY1ZjRjLTE4NjItNDIwOS04NWEzLWUyMmMyYTljMDY4ZCJ9.D9-lJ8vtC8Hj5mJvUm1ld9w0rifPzjHc6UyCbENtWbno0zTYB_ki3_z-x7zI_-72ixiDpsjzwLbmKKWw8tFtqWM36WvdwBH6mBDVB_K7cy8NqrACLOjFgBrRa3HXwHkwAgwHp6Vpgbs35aAbwf0OTBxeohnbEA4y84D0pFILHm-u_iFG1-tS-QKKh6s8SBR0MNA6dJqj95R3NVF-tk4aztHI5GB63aaw2E883Xd6r2k4MIi3vQoB35-T_zFSebypaheyW3IXCPNsXjsyy4toMRfE4KEeI-j20vixxtIB22OlOWBMie7ce9Atzu6op0R0eJz3f3Ch6OrPxcvT3ghSJQ

Decoded sample ID token

{
  "isk": "7b8bfe9f4ed1396eb777b0c6d8e111af6e0c18b416074c6ee8ca3f424fcc6c66",
  "at_hash": "znkxxOhMFPQ6P9W74IJJMA",
  "sub": "3b7cbde5-bfc7-474a-b79e-4d9e03c4c55f",
  "amr": [
    "BasicAuthenticator"
  ],
  "iss": "https://localhost:9443/oauth2/token",
  "sid": "de96a883-9baf-409e-9711-eaa7ca841f51",
  "aud": "hyfI0ShhPybRU7zP2nnm3jEtJ4sa",
  "c_hash": "Jsg6vv4Q4lzpPmTtAoxImA",
  "nbf": 1697445072,
  "azp": "hyfI0ShhPybRU7zP2nnm3jEtJ4sa",
  "org_id": "332080fd-338e-4269-88e4-a565c98d74cb",
  "exp": 1697448672,
  "org_name": "Super",
  "iat": 1697445072,
  "jti": "3807f58a-70e3-41a8-96d5-1c394fc8cf55"
}

Use the following methods to validate the ID token:

Verify the signature in the ID token¶

To validate the signature on the ID token, you need the public key of WSO2 Identity Server. The signature of ID tokens can be validated using the JWKS endpoint in WSO2 Identity Server.

WSO2 Identity Server exposes the public key information through the standard JWKS endpoint.

By using a signature validation library, you can validate the signature of the ID token using the JWKS endpoint.

JWKS endpoint

https://localhost:9443/oauth2/jwks

Sample request

cURLJavaScript - jQueryNodejs - Axios

curl --location --request GET 'https://localhost:9443/oauth2/jwks'

var settings = {
    "url": "https://localhost:9443/oauth2/jwks",
    "method": "GET",
    "timeout": 0,
};

$.ajax(settings).done(function (response) {
    console.log(response);
});

var axios = require('axios');

var config = {
    method: 'get',
    url: 'https://localhost:9443/oauth2/jwks',
    headers: {}
};

axios(config)
    .then(function (response) {
        console.log(JSON.stringify(response.data));
    })
    .catch(function (error) {
        console.log(error);
    });

Sample response

{
  "keys": [
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "Yzc5OTgwZTE3MWQzMWEzNDFmNzVhM2NiOTBlNjcwNTI5OGM0MmQ1YjkwYjg2MTIwZWMwNzM4Mzg1ZGIyZDg3ZA_RS256",
      "alg": "RS256",
      "n": "i_i34CgF8IZd8e27sY3lJkX6MyW7e2oIH0f_OlnwftTdS-SAmmIMm06QdyhDr0fycTuNR9hjsEhSm9ecS5kZh9qsuffLb1N041Ml37VE6qeOKP4AocvYmr0rtpH0TUgqXndDeFAAF3oLVhUTokw9Ik-T23cEPDA8gMCmQf7Nje7fNsQ6aCuzzvfUekXvRnDl_7ZAHgbw_0gyujIJ11NlKiNbmCdKMATn68TwQ4U5RJD9-IT0zizWm1ciV-ZOc12L8AsUI-QFjLnUlM4S42X1oj0Tao1oL9V8QGASHHIGKqJ9YxvvnuxaHd42NFFHJcwB4oLlirjOyI5HfKZRFE4FzQ"
    }
  ]
}

Verify claims in the ID token¶

Applications should verify the claims in the ID token before consuming it. You can either use some libraries, or you can manually verify the claims.

Given below are some claims that are sent in the ID token. These need to be verified by the application.

Claim	Description
`iss` (issuer)	This should match the `https://localhost:9443/oauth2/token` value.
`aud` (audience)	This should match the client ID of the application.
`iat` (issued at time)	This indicates when the ID token was issued. Applications can reject tokens that were issued too long ago.
`exp` (expiry time)	This indicates the time at which the ID token will expire. Applications should reject the expired tokens.