Navigation

    FusionAuth
    • Login
    • Search
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs

    UNSOLVED How should i validate Id token

    Q&A
    2
    2
    469
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trashmi13 last edited by

      So far we are doing POC on fusionAuth so that our organization can decide to go with fusionAuth or not.

      Everything looks promising so far but somehow I couldn't find anything related to OpenId token verification.

      I am looking for something like the code snippet so that we can verify/validate Id token . Can you please suggest where I can get some reference code to do the ID token validation.

      Sample code
      // The required parameters
      Issuer iss = new Issuer("https://idp.c2id.com");
      ClientID clientID = new ClientID("123");
      JWSAlgorithm jwsAlg = JWSAlgorithm.RS256;
      URL jwkSetURL = new URL("https://idp.c2id.com/jwks.json");

      // Create validator for signed ID tokens
      IDTokenValidator validator = new IDTokenValidator(iss, clientID, jwsAlg, jwkSetURL);

      dan 1 Reply Last reply Reply Quote 0
      • dan
        dan @trashmi13 last edited by

        @trashmi13

        Hiya. You can validate this token using any JWT library, as Id Tokens are valid JSON Web Tokens.

        I'm not sure what language you are using, but here's an example for java using the fusionauth-jwt library:

            List<JSONWebKey> keys = JSONWebKeySetHelper.retrieveKeysFromJWKS("https://www.googleapis.com/oauth2/v3/certs");
    
     Map<String, Verifier> publicKeyVerifiers = new HashMap<String,Verifier>();
     for (JSONWebKey key : keys) {
        String publicKey = key.x5c.get(0); 
        Verifier verifier = RSAVerifier.newVerifier(publicKey); // assuming all keys are RSA. You could switch on type as well.
        String kid = key.kid;
        publicKeyVerifiers.put(kid, verifier);
     }
     
     // Verify and decode the encoded string JWT to a rich object
     JWT jwt2 = JWT.getDecoder().decode(encodedJWT, publicKeyVerifiers);
     
     // make sure the aud and issuer are as expected
     if (jwt2.audience.equals("gge44ab3-027f-47c5-bb07-8dd8ab37a2d3") && jwt2.issuer.equals("www.acme.com") && (jwt.expiration.toEpochSecond() > (System.currentTimeMillis()/1000) )) {
    	 // valid id token
     }

        Hope this helps.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post