- changed title to Signature Validating of the Token
Access token signature validation
Hi There,
Is there any method available to validate the token.
Input will be
1) String token
2) String openid url : This will have jwks_uri --- which has all the key Information
Looking for all the three information for validation related to token
1) Validate the signature of the token
2) Validate the user defined claim attributes of the token : user will supply the list of claimAttributes
3) Validate the Expiry of the token. : based on the expirydate and nbf date
Currently for 2 and 3 I am using my own validation. I am wondering is there any method available for that.
For requirement 1) validating the token
Input:
1) String token
2) openid url ---->internally it will fetch jwks_uri and get the public key information
1) I am using some documentation available from the sdk and making similar changes to the code.If there any method available could you please point to us.
Attaching the code.
Thanks Vinoj
Comments (10)
-
reporter -
reporter - edited description
-
reporter - edited description
-
reporter - edited description
-
Hi,
Take a look at this:
http://connect2id.com/blog/how-to-validate-an-openid-connect-id-token
And that:
Most of validation logic is already available, except for what you call user defined attributes.
-
- changed status to resolved
-
reporter - changed status to open
-
reporter Hi there,
i am trying to validate the accessToken not the openId Token. I am having to two inputs
1) AccessToken
2) url with the public key Information -> which has jwks_uri to fetch the n and e value to formulate the public key
I have to do the basic validation using the AccessToken
1) signature validation
2) Expiry date Validation
3) Claims Attribute Validation
Again this is not the openId token any methods or blog which i can use it is really helpful.
thanks Vinoj
-
- changed title to Access token signature validation
Fixed title to clarify an access token is being validated, not ID token
-
- changed status to invalid
This SDK doesn't provide methods to introspect access tokens, because their format and encoding is outside the scope of the OAuth 2.0 standard:
http://tools.ietf.org/html/rfc6749#section-1.4
So the token can be an arbitrary string. It looks like in this case you're having an access token that happens to be encoded as a JWT. If you can't decode the access token using the ID token routine, take a look at the generic JWT validator in the Nimbus JOSE+JWT lib:
What server issued this access token BTW?
- Log in to comment