FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How should i validate Id token

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    2
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trashmi13
      last edited by

      So far we are doing POC on fusionAuth so that our organization can decide to go with fusionAuth or not.

      Everything looks promising so far but somehow I couldn't find anything related to OpenId token verification.

      I am looking for something like the code snippet so that we can verify/validate Id token . Can you please suggest where I can get some reference code to do the ID token validation.

      Sample code
      // The required parameters
      Issuer iss = new Issuer("https://idp.c2id.com");
      ClientID clientID = new ClientID("123");
      JWSAlgorithm jwsAlg = JWSAlgorithm.RS256;
      URL jwkSetURL = new URL("https://idp.c2id.com/jwks.json");

      // Create validator for signed ID tokens
      IDTokenValidator validator = new IDTokenValidator(iss, clientID, jwsAlg, jwkSetURL);

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @trashmi13
        last edited by

        @trashmi13

        Hiya. You can validate this token using any JWT library, as Id Tokens are valid JSON Web Tokens.

        I'm not sure what language you are using, but here's an example for java using the fusionauth-jwt library:

            List<JSONWebKey> keys = JSONWebKeySetHelper.retrieveKeysFromJWKS("https://www.googleapis.com/oauth2/v3/certs");
            
             Map<String, Verifier> publicKeyVerifiers = new HashMap<String,Verifier>();
             for (JSONWebKey key : keys) {
                String publicKey = key.x5c.get(0); 
                Verifier verifier = RSAVerifier.newVerifier(publicKey); // assuming all keys are RSA. You could switch on type as well.
                String kid = key.kid;
                publicKeyVerifiers.put(kid, verifier);
             }
             
             // Verify and decode the encoded string JWT to a rich object
             JWT jwt2 = JWT.getDecoder().decode(encodedJWT, publicKeyVerifiers);
             
             // make sure the aud and issuer are as expected
             if (jwt2.audience.equals("gge44ab3-027f-47c5-bb07-8dd8ab37a2d3") && jwt2.issuer.equals("www.acme.com") && (jwt.expiration.toEpochSecond() > (System.currentTimeMillis()/1000) )) {
            	 // valid id token
             }
        

        Hope this helps.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post